[Samba] Can't setup kerberos auth for samba4 server?

Thomas Schweikle tschweikle at gmail.com
Wed Oct 16 08:56:49 UTC 2019 

Hi!

Setup: Debian, Samba 4.11

After successfully setting up samba4, I want this machine to authenticate
against the running samba4-server. I've created /etc/krb5.conf:

[libdefaults]
        default_realm = ADA.DE <http://ada.de/>
        dns_lookup_realm = false
        dns_lookup_kdc = true

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        fcc-mit-ticketflags = true

[realms]
        ADA.DE <http://ada.de/> = {
                kdc = ad01.ada.de
                kdc = ad02.ada.de
                admin_server = ad01.ada.de
                chpasswd_server = ad01.ada.de
                default_domain = ada.de
        }

[domain_realm]
        .ada.de = ADA.DE <http://ada.de/>
        ada.de = ADA.DE <http://ada.de/>


kinit works:
# kinit Administrator
Passwort für Administrator at ADA.DE:
Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
ablaufen.
#klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: Administrator at ADA.DE

Valid starting       Expires              Service principal
16.10.2019 10:22:13  16.10.2019 20:22:13  krbtgt/ADA.DE at ADA.DE
        erneuern bis 17.10.2019 10:22:08

But:
# net ads join -k
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.

It is quite true this host is not configured as a member server -- it is
the PDC! So what do I have to do to make this host use the running samba4
to authenticate users? sssd fails because it cant find /etc/krb5.keytab.

/etc/sssd/sssd.conf is set to:
[sssd]
services = nss, pam, autofs
domains = ADA.DE <http://ada.de/>
debug_level = 0x0270

[domain/ADA.DE <http://ada.de/>]
enumerate = true
cache_credentials = True
krb5_realm = ADA.DE <http://ada.de/>
ldap_search_base = dc=ada,dc=de
krb5_server = ad01.ada.de, ad02.ada.de
id_provider = ad
auth_provider = ad
ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 0x0270

[nss]
homedir_substring = /home
debug_level = 0x0270

[pam]
debug_level = 0x0270

[sudo]
debug_level = 0x0270

[autofs]
debug_level = 0x0270

[ssh]
debug_level = 0x0270

[pac]
debug_level = 0x0270

[ifp]
debug_level = 0x0270

[secrets]
debug_level = 0x0270

[session_recording]
debug_level = 0x0270

Any hint, link, Howto would be great help!

-- 
Thomas

More information about the samba mailing list