[Samba] Can SAMBA make a kerberos keytab on Solaris 10?

Rob LaRose robl at imaginaryforces.com
Wed Mar 18 21:17:41 GMT 2009

Hi Edward,

	Thanks for the link.  Creating a computer account & keytab on the  
Windows side and copying it back to the Solaris works for my other  
services (ssh, etc.) but net ads join clobbers the existing account  
and creates a new one which no longer matches the keytab.  Is there a  
way to get samba / net ads join to just use the existing kerberos  
setup / keytab and NOT try to create a new account?


On Mar 18, 2009, at 4:56 PM, Edward Irvine wrote:

> Rob,
>> Hi Samba people!
>> 	I'm trying to use SAMBA (the version included with Solaris 10)  
>> with an AD.
>> 	NET ADS JOIN works like a charm to create a computer object in the  
>> AD for the solaris machine, and SAMBA users are authenticating  
>> without a problem.  This is good.  HOWEVER -- I also need other  
>> protocols (including ssh and Xinet KA-Share) to authenticate users.
>> 	As I understand it, SAMBA uses kerberos to authenticate against  
>> AD, so as long as everyone is using the same keytab file, I'd  
>> expect all to be well.  However, I find that when I do net ads join  
>> it doesn't create or modify a keytab file that I can find.  I have  
>> use kerberos keytab = true in my smb.conf file, but I can't see  
>> that it actually does anything.
>> 	Can anyone steer me in the right direction here?  I've been  
>> chasing this for over a month.
> The following is a little dated. But see the section in http://users.tpg.com.au/adsl95uc/gssapi-sol10/ 
>  that refers to "Windows Active Directory". This is how you get a  
> vailid /etc/krb5/krb5.keytab file onto your Solaris machine.
> Not that you don't *have* to have a krb5.keytab file on your Solaris  
> Servers to authenticate users, unless you want to do single sign on.
> If you just want to have same sign on (same username, same password)  
> then all the PAM stack needs is a correctly configured /etc/krb5/ 
> krb5.conf file.
> There is a section about building your own PAM/OpenSSH/Kerberos  
> stack which you may be able to ignore.
>> --Rob
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list