[Samba] Kerberos5 ticket renewal & 'net ads join' w/o authentication

Philipoff, Andrew aphilipoff at medicine.ucsf.edu
Thu Oct 28 17:58:12 MDT 2010


> Hello,
> 
> I have two issues with Kerberos administration using Samba and this results
> from my lack of familiarity with it. I am hoping someone can point me in the
> right direction.
> 
> The first issue is with automatically renewing the Kerberos tickets. The
> second issue deals with my having to authenticate each time I attempt to join
> an AD domain. The Samba documentation indicates that I should *not* have
> to authenticate when holding a valid Kerberos ticket. When I join an AD
> domain using administrator credentials, I can basically administer a Samba
> server well. 'getent passwd' and 'getent group' works as expected.
> 
> I'm running FreeBSD 8.1 using Samba 3.4.9 and using the base Heimdal.
> The AD domain is a W2K3 domain in mixed mode.
> 
> I basically used the information from this link listed below to build the
> configuration files listed below:
> 
> http://wiki.samba.org/index.php/Samba_%26_Active_Directory
> 
> I also looked at several other sources such as :
> 
> http://www.freebsd.org/doc/handbook/kerberos5.html
> 
> The bottom line is that I'd like to receive a Kerberos ticket using proper
> authentication and use it to execute the 'net ads join' command without
> authenication and then continue to renew the ticket automatically.
> 
> Now, what changes do I need to do in order to 1) automatically renew
> Kerberos tickets and 2) be able to execute the 'net ads join' command
> without supplying a password?
> 
> Any pointers/assistance would be greatly appreciated! If I've left out
> relevant information, please don't hesitate to let me know.
> 
> ~Doug

Doug,

To address the Kerberos ticket issue, on my RHEL 5.5 servers, I enabled "use Kerberos keytab" in my smb.conf:

1. Edit your smb.conf, add "use kerberos keytab = YES"
Run testparm
Restart Samba

2. Create a kerberos keytab in the location is defined in your krb5.conf file. Mine has "default_keytab_name = FILE:/etc/krb5.keytab" in the [libdefaults] section :
net ads keytab create

3. Verify the contents of the Kerberos keytab file:
klist -ke

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server1.domain.forest.org @ DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
3 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
3 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
4 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
4 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)

However I do not know how to enable the execution the 'net ads join' command without supplying a password.

Regards,

Andrew Philipoff
Infrastructure Coordinator
UCSF Department of Medicine - IT Services




More information about the samba mailing list