[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?

admin at ateamonsite.com admin at ateamonsite.com
Wed Oct 14 17:03:43 MDT 2009

Hi folks,

In a scenerio where you are just joining samba to an existing windows 2003
AD as a member server, I have been told that in some unknown/unsubscribed
conditions you need to manually need to set up kerberos and use kinit
before joining the active directory with net ads join.

I think this is untrue personally because from what I understand about
samba joining a domain, is that samba/winbind/net ads join command
automatically uses kerberos libraries to autogenerate its tickets upon a
successful domain join.
Additionally AFAIK tickets are refreshed by winbind automatically so you
really never need to run kinit or set up krb5.conf if you use samba to join
the AD as a domain member server.

Could someone please clarify this so I can make this myth go away? Could I
be wrong? Is there a special circumstance where this applies that i dont
know about? Some magic non default active directory configuration that
insists kerberos be set up differently than samba can muster to do


More information about the samba mailing list