[Samba] ads: tickets and joins
Chris Stankevitz
chrisstankevitz at gmail.com
Mon Apr 25 20:38:19 UTC 2016
Hello,
I have these questions regarding samba running in ads mode such that
users are authenticated against active directory:
1. What is the role of 'kinit'?
2. How often must 'kinit user at domain.local' be run?
3. What are the consequences of an expired or non-existant klist?
4. Why does "kinit 'DOMAIN\user'" fail but "kinit user at DOMAIN.LOCAL" succeed?
5. With kinit, must I use uppercase characters when specifying DOMAIN
or DOMAIN.LOCAL?
6. When calling kinit, must user at domain.local be a domain admin?
7. What is the role of 'net ads join -U user at domain'?
8. How often must "net ads join -U user at domain" be run?
9. What are the consequences of running samba/ads on a machine that
has not been joined to the domain?
10. When calling "net ads join", must user at domain be a domain admin?
11. How do I go about discovering root cause for this error:
[root at myhost ~]# net ads join -U foo at DOMAIN.LOCAL
Enter csa at DOMAIN.LOCAL's password:
ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
Using short domain name -- DOMAIN
Joined 'MYHOST' to dns domain 'domain.local'
DNS update failed: NT_STATUS_INVALID_PARAMETER
===
My guesses:
A1: To create a kerberos ticket (which prompts Q3)
A7: To join a computer to the domain (which prompts Q9)
A8: Only once -- the result is saved in a file called secrets.tdb
===
Thank you,
Chris
More information about the samba
mailing list