[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?

Robert LeBlanc robert at leblancnet.us
Fri Oct 16 10:15:09 MDT 2009

On Fri, Oct 16, 2009 at 6:27 AM, Matthew J. Salerno <vagabond_king at yahoo.com
> wrote:

> Looking at your post, there doesn't seem to be anything in the krb5.conf
> file that would make it work. Do you know which setting was the "magic" one?
> I would be interested to know. We use RID for ID mapping since we only had a
> few ID hard coded in our AD and it works fine with a minimal krb5.conf file.
> ---------------------------------------------------
> If that's the case, then you should probably be falling back on the
> template settings.
> template homedir & template shell
> All I did was configure my krb5.conf based on the hundreds of
> wiki/howto/faq's and forum posts I read.  I'm not sure what the "magic" one
> is, but I know that it works when I do the kinit.
> What issues are you having?
> I am not have any issues, Samba is working exactly how I would like it to.
I'm just really confused by your statment that krb5.conf is required to
retreive rfc2307 attributes. What stumps me more is the fact that I really
don't see anything in your krb5.conf file that is drastically different from
the defaults or what AD provides using the DNS SRV records. That tells me
that even if you didn't have a krb5.conf file then it 'should' work still.
I'm able to kinit against my AD without a krb5.conf file, I just can't use
the short form and have to use the full form ( user at DOMAIN.COM ). So I have
a krb5.conf file that sets the default realm to use the short version and
that's about it. That is why I'm asking which setting is the 'magical'
setting that worked for you.

In my experience when I've have Kerberos issues, it wound up being something
else I did to muck things up and when I went back and cleaned up all the
changes (there are usually a lot), the issue was something small and usually
because I did it the wrong way. Most of my issues came from hostname, DNS or
resolve.conf misconfigurations more than Kerberos misconfigurations.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University

More information about the samba mailing list