[Samba] Forcing Windows Kerberos tickets be used for authentication to a samba share

Thomas Glanzmann thomas at glanzmann.de
Wed May 6 13:54:55 GMT 2009

I used

net ads join createcomputer="OU=Computer,OU=ErlF,OU=UNIX,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net" -W WW004 -U adglth0a

to join a samba machine to an active directory. Now I would like to
configure in a way that windows clients use a cifs/hostname kerberos
ticket to authenticate to the machine. I tried the following settings:

        workgroup = WW004
        netbios name = ad027088pc
        server string = SMB Server
        ; security = DOMAIN
        security = ADS
        encrypt passwords = true
        ; use kerberos keytab = true

        realm = WW004.SIEMENS.NET
        ldap suffix = dc=ww004,dc=glanzmann,dc=net
        ldap ssl = No

        client lanman auth = no
        client ntlmv2 auth = no
        client use spnego = yes

        restrict anonymous = 2

        log level = 2
        preferred master = No
        local master = No
        domain master = No
        os level = 0
        directory mask = 0775
        oplocks = No
        kernel oplocks = No
        level2 oplocks = No
        invalid users = root, broot
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        create mask = 0775
        browseable = No

        comment = All UNIX Home Directories
        browseable = No
        public = No
        writable = Yes

But that didn't help. What is interesting though that when I unjoin the
machine from AD and try to connect I see when I list the windows
kerberos tickets using ,,klist tickets'' a ticket for the service
principal cifs/hostname even if that service principal is not registered
to any account in the active directory at that time.

This is with samba version 2:3.2.5-4lenny2 running on Debian Lenny.


More information about the samba mailing list