[Samba] AD-Integration of Samba4 AD DC machine itself?

Sven Geggus lists at fuchsschwanzdomain.de
Wed Mar 12 11:04:55 MDT 2014

Rowland Penny <rowlandpenny at googlemail.com> wrote:

>> 3. add "kerberos method = system keytab" to /etc/samba/smb.conf
> Why???

Because nss-ldapd or sssd will not work without a system keytab.

>> Furthermore, which tool can I use to duplicate the "MACHINE$@REALM"
>> prinzipal of my DC to the Unix style name style host/machine at REALM?
> Again, why?

Because services like ssh will need these kinds of service principal. It
might be possible to make them use MACHINE$@REALM instead, but the default
would be host/machine.fqdn at REALM.

On the machines I joined using "kerberos method = system keytab" I typically
have 3 kinds of names for the same encryption keys:
host/machine.fqdn at REALM
host/machine at REALM

> do you do this with a windows AD server?

Yes, I actually the host/machine.fqdn at REALM version on my setup with the
Windows AD-Server.

Using the Samba AD DC nslcd needs to use MACHINE$@REALM for authentification.
host/machine.fqdn at REALM does not work.



Der "normale Bürger" ist nicht an der TU Dresden und schreibt auch
nicht mit mutt. (Ulli Kuhnle in de.comp.os.unix.discussion)

/me is giggls at ircnet, http://sven.gegg.us/ on the Web

More information about the samba mailing list