[Samba] ads: tickets and joins

Rowland penny rpenny at samba.org
Tue Apr 26 17:33:04 UTC 2016

On 26/04/16 17:06, Chris Stankevitz wrote:
> Rowland,
> Thank you.  I read the Oreilly book chapter 10, but I am still unclear
> on the requirements.  If you have an idea for another book/man to
> read, please let me know and I will read.
> On Mon, Apr 25, 2016 at 11:48 PM, Rowland penny <rpenny at samba.org> wrote:
>> You may however run 'kinit user at DOMAIN.TLD' to ensure there is a kerberos
>> ticket before doing something that requires authentication.
> Please consider this use case:
> $ grep -e security -e username\ map /etc/samba/smb.conf
> username map = /etc/samba/DomainToLocalMapping.txt
> security = ads
> $ grep cstankevitz /etc/samba/DomainToLocalMapping.txt
> cstankevitz = DOMAIN.TLD\cstankevitz DOMAIN\cstankevitz
> A linux client connects to the samba server and specifies a username
> of "DOMAIN\cstankevitz" and a password that matches the password
> stored on a Microsoft Windows AD Server.

I would suggest you stop using the username map for this, if a user 
exists in AD and the user logins into a Unix machine that is joined to 
the domain, then the user *shouldn't* exist in /etc/passwd

Can I suggest you browse the Samba wiki: 

> 12. Does the use case above require someone to run kinit on the samba
> server before the client attempts a connection?

No, a user doesn't have to 'kinit' before connecting.

> If yes:
> 12a. Will the ticket supplied by kinit expire?
> 12b. Does kinit need to be run periodically?  e.g. when the ticket
> expires or when the computer reboots?
> 12c. Which username should I provide to kinit for this use case?
> Should it have any particular privilege?
> 12d. If kinit has not been properly run, what specifically will fail
> and what specifically will be shown in a verbose samba log?
>>> 9. What are the consequences of running samba/ads on a machine that
>>> has not been joined to the domain?
>> About the same as running windows on a computer that isn't joined to the
>> domain.
> 13. Does my use case above require the samba computer to be joined to
> the windows domain?

If you want a Unix machine to be part of a domain (and 'security = ads' 
means you do) it needs to be joined to the domain (it isn't a windows 
domain, it is an Active Directory domain).

> If yes:
> 13a. If the samba computer has not been joined to the domain, what
> specifically will fail and what specifically will be shown in a
> verbose samba log?

Your users will be unknown to the Unix machine. Not entirely sure what 
will show up in the logs, but something like 'unknown user'


>> Find out why you do not have /usr/lib64/samba/ldb
> Thank you.  I'm embarrassed that I didn't see that.
> Thank you again,
> Chris

More information about the samba mailing list