[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?

admin at ateamonsite.com admin at ateamonsite.com
Fri Oct 16 13:49:27 MDT 2009 

Hence this is why I started this topic, because if you look on the net nine
tutorials out of ten (ok that was a blatant lie, but close to truth) state
that you have to manually set up kerberos.
I think that is ridiculous yet I have been told that I have to do it "in
case" and I say: IN CASE OF WHAT???? And I never get a straight answer, or
one thant I can disprove because no examples are given.

So I started this thread...

Please continue on!

:-)



On Fri, 16 Oct 2009 10:15:09 -0600, Robert LeBlanc <robert at leblancnet.us>
wrote:
> On Fri, Oct 16, 2009 at 6:27 AM, Matthew J. Salerno
> <vagabond_king at yahoo.com
>> wrote:
> 
>> Looking at your post, there doesn't seem to be anything in the krb5.conf
>> file that would make it work. Do you know which setting was the "magic"
>> one?
>> I would be interested to know. We use RID for ID mapping since we only
>> had a
>> few ID hard coded in our AD and it works fine with a minimal krb5.conf
>> file.
>> ---------------------------------------------------
>>
>> If that's the case, then you should probably be falling back on the
>> template settings.
>> template homedir & template shell
>>
>> All I did was configure my krb5.conf based on the hundreds of
>> wiki/howto/faq's and forum posts I read.  I'm not sure what the "magic"
>> one
>> is, but I know that it works when I do the kinit.
>>
>> What issues are you having?
>>
>>
>> I am not have any issues, Samba is working exactly how I would like it
>> to.
> I'm just really confused by your statment that krb5.conf is required to
> retreive rfc2307 attributes. What stumps me more is the fact that I
really
> don't see anything in your krb5.conf file that is drastically different
> from
> the defaults or what AD provides using the DNS SRV records. That tells me
> that even if you didn't have a krb5.conf file then it 'should' work
still.
> I'm able to kinit against my AD without a krb5.conf file, I just can't
use
> the short form and have to use the full form ( user at DOMAIN.COM ). So I
have
> a krb5.conf file that sets the default realm to use the short version and
> that's about it. That is why I'm asking which setting is the 'magical'
> setting that worked for you.
> 
> In my experience when I've have Kerberos issues, it wound up being
> something
> else I did to muck things up and when I went back and cleaned up all the
> changes (there are usually a lot), the issue was something small and
> usually
> because I did it the wrong way. Most of my issues came from hostname, DNS
> or
> resolve.conf misconfigurations more than Kerberos misconfigurations.
> 
> Robert LeBlanc
> Life Sciences & Undergraduate Education Computer Support
> Brigham Young University

More information about the samba mailing list