[Samba] ads: tickets and joins

Rowland penny rpenny at samba.org
Tue Apr 26 06:48:35 UTC 2016 

On 25/04/16 21:38, Chris Stankevitz wrote:
> Hello,
>
> I have these questions regarding samba running in ads mode such that
> users are authenticated against active directory:
>
> 1. What is the role of 'kinit'?

Basically to create a kerberos ticket for a user

>
> 2. How often must 'kinit user at domain.local' be run?

If you take my advice, never, you shouldn't be using a .local domain.
You may however run 'kinit user at DOMAIN.TLD' to ensure there is a 
kerberos ticket before doing something that requires authentication.

>
> 3. What are the consequences of an expired or non-existant klist?

You cannot do, whatever it was you tried to do, if it required 
authentication.

>
> 4. Why does "kinit 'DOMAIN\user'" fail but "kinit user at DOMAIN.LOCAL" succeed?

Because the first is a username and the second is a UPN (user principal 
name)

>
> 5. With kinit, must I use uppercase characters when specifying DOMAIN
> or DOMAIN.LOCAL?

Uppercase

> 6. When calling kinit, must user at domain.local be a domain admin?

No, all users can get a ticket

>
> 7. What is the role of 'net ads join -U user at domain'?

It is used to join a Unix computer to a domain.

>
> 8. How often must "net ads join -U user at domain" be run?

Whenever you want to join a Unix computer to a domain.

> 9. What are the consequences of running samba/ads on a machine that
> has not been joined to the domain?

About the same as running windows on a computer that isn't joined to the 
domain.

>
> 10. When calling "net ads join", must user at domain be a domain admin?

No, a normal user can join as long as they have the 
'SeMachineAccountPrivilege'

>
> 11. How do I go about discovering root cause for this error:
>
> [root at myhost ~]# net ads join -U foo at DOMAIN.LOCAL
> Enter csa at DOMAIN.LOCAL's password:
> ldb: unable to stat module /usr/lib64/samba/ldb : No such file or directory
> Using short domain name -- DOMAIN
> Joined 'MYHOST' to dns domain 'domain.local'
> DNS update failed: NT_STATUS_INVALID_PARAMETER
>
>
> ===

Find out why you do not have /usr/lib64/samba/ldb

Rowland

> My guesses:
>
> A1: To create a kerberos ticket (which prompts Q3)
>
> A7: To join a computer to the domain (which prompts Q9)
>
> A8: Only once -- the result is saved in a file called secrets.tdb
>
> ===
>
> Thank you,
>
> Chris
>

More information about the samba mailing list