[Samba] ads: tickets and joins

Chris Stankevitz chrisstankevitz at gmail.com
Mon Apr 25 20:38:19 UTC 2016


I have these questions regarding samba running in ads mode such that
users are authenticated against active directory:

1. What is the role of 'kinit'?

2. How often must 'kinit user at domain.local' be run?

3. What are the consequences of an expired or non-existant klist?

4. Why does "kinit 'DOMAIN\user'" fail but "kinit user at DOMAIN.LOCAL" succeed?

5. With kinit, must I use uppercase characters when specifying DOMAIN

6. When calling kinit, must user at domain.local be a domain admin?

7. What is the role of 'net ads join -U user at domain'?

8. How often must "net ads join -U user at domain" be run?

9. What are the consequences of running samba/ads on a machine that
has not been joined to the domain?

10. When calling "net ads join", must user at domain be a domain admin?

11. How do I go about discovering root cause for this error:

[root at myhost ~]# net ads join -U foo at DOMAIN.LOCAL
Enter csa at DOMAIN.LOCAL's password:
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
Using short domain name -- DOMAIN
Joined 'MYHOST' to dns domain 'domain.local'


My guesses:

A1: To create a kerberos ticket (which prompts Q3)

A7: To join a computer to the domain (which prompts Q9)

A8: Only once -- the result is saved in a file called secrets.tdb


Thank you,


More information about the samba mailing list