[Samba] ads: tickets and joins

[Chris Stankevitz]

Rowland,

Thank you.  I read the Oreilly book chapter 10, but I am still unclear
on the requirements.  If you have an idea for another book/man to
read, please let me know and I will read.

On Mon, Apr 25, 2016 at 11:48 PM, Rowland penny <rpenny at samba.org> wrote:
> You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos
> ticket before doing something that requires authentication.

Please consider this use case:

$ grep -e security -e username\ map /etc/samba/smb.conf

username map = /etc/samba/DomainToLocalMapping.txt
security = ads

$ grep cstankevitz /etc/samba/DomainToLocalMapping.txt
cstankevitz = DOMAIN.TLD\cstankevitz DOMAIN\cstankevitz

A linux client connects to the samba server and specifies a username
of "DOMAIN\cstankevitz" and a password that matches the password
stored on a Microsoft Windows AD Server.


12. Does the use case above require someone to run kinit on the samba
server before the client attempts a connection?

If yes:

12a. Will the ticket supplied by kinit expire?

12b. Does kinit need to be run periodically?  e.g. when the ticket
expires or when the computer reboots?

12c. Which username should I provide to kinit for this use case?
Should it have any particular privilege?

12d. If kinit has not been properly run, what specifically will fail
and what specifically will be shown in a verbose samba log?

>> 9. What are the consequences of running samba/ads on a machine that
>> has not been joined to the domain?
>
>
> About the same as running windows on a computer that isn't joined to the
> domain.

13. Does my use case above require the samba computer to be joined to
the windows domain?

If yes:

13a. If the samba computer has not been joined to the domain, what
specifically will fail and what specifically will be shown in a
verbose samba log?

> Find out why you do not have /usr/lib64/samba/ldb

Thank you.  I'm embarrassed that I didn't see that.

Thank you again,

Chris