[Samba] kerberos configuration in samba
Ralf Hornik Mailings
ralf at best.homeunix.org
Wed Dec 16 03:34:10 MST 2009
Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote:
> - I guess I don't need to do kinit manually if I am using "net ads
> join" command, right?
kinit is a good tool for tesing a kerberos workskation, or when doing
local GSSAPI authentication. Not needed for samba. In your smb.conf
you have to set the realm unless your local domainname matches the
realm name (with lower case)
> - Does samba use SRV records for anything else other than finding out domain
> controller names? If not, I can do away without them by writing
> manual entries
> in /etc/krb5.conf. I will be using DNS, but no SRV records.
When using no SRV records you have to set only the domaincontrollers
in smb.conf. The other stuff (domainname, ...) is netbios related and
does not use DNS. Additionally, the realm name in smb.conf must match
a configuration in krb5.conf
> - I found that even when no SRV records are present and wrong (invalid hosts)
> IP addresses configured for domain controllers (in smb.conf and
> /etc/krb5.conf),
> I am still able to join the domain. I am not sure if there is any
> component which
> actually does broadcasting and finds out if any domain controller
> present using
> this fallback method?
Samba version 3 can act as a Windows NT/200* member server or as a NT4
Domaincontroller (CMIIW). As member server (your config) it uses RPC
and/or SMB to join a domain. Kerberos is used by samba to do any local
authentication e.g. getting a shell, or accessing network shares, by
winbind for example, or pam.
More information about the samba
mailing list