[Samba] ads: tickets and joins
Sketch
smblist at rednsx.org
Tue Apr 26 13:53:40 UTC 2016
Just to expand on a couple of Rowland's answers...
On Tue, 26 Apr 2016, Rowland penny wrote:
> On 25/04/16 21:38, Chris Stankevitz wrote:
>>
>> 2. How often must 'kinit user at domain.local' be run?
>
> If you take my advice, never, you shouldn't be using a .local domain.
> You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos
> ticket before doing something that requires authentication.
>> 5. With kinit, must I use uppercase characters when specifying DOMAIN
>> or DOMAIN.LOCAL?
>
> Uppercase
The reason it's uppercase is because you are specifying the kerberos
realm, not the domain. Domain names are lowercase, but realms are
uppercase. The two are usually the same, other than case. Note that if
your /etc/krb5.conf is configured with your realm as the default_realm,
you don't need to specify @REALM at all, the 'kinit user' alone will do.
>> 8. How often must "net ads join -U user at domain" be run?
>
> Whenever you want to join a Unix computer to a domain.
Normally, this is only once, as you correctly guessed.
>> 10. When calling "net ads join", must user at domain be a domain admin?
>
> No, a normal user can join as long as they have the
> 'SeMachineAccountPrivilege'
Note that only domain admins have this privilege by default.
More information about the samba
mailing list