[Samba] Can't setup kerberos auth for samba4 server?

Thomas Schweikle tschweikle at gmail.com
Wed Oct 16 16:24:03 UTC 2019


It is not a member server it's the PDC. And after configuring
/etc/krb5.conf you'll be able to
# kinit Administrator
Passwort für Administrator at ADA.DE:
Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
ablaufen.

And now:
# net ads join -k
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the
domain.

But to authenticate on this PDC against the running samba I need some way
to have /etc/krb5.keytab created ... some Howto this would be done would be
nice!

On Wed, Oct 16, 2019 at 11:39 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:

> If this is a member server.
>
> Just install minimal debian server + ssh.
> Point dns (resolv.conf) to AD-DC.
> search ada.de
> nameserver IP_AD_DC
>
> Now apt-get install samba winbind acl attr krb5-user
> Keep all default, you dont need to change anything..
>
> After the install off all packages.
>
> systemctl stop smbd winbind (optional nmbd)
> (optional : systemctl disable nmbd)
>
> Setup the correct smb.conf for a member server
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> kinit Administrator
> net ads join -k
>
> systemctl enable smbd winbind (optional nmbd)
> systemctl start smbd winbind (optional nmbd)
>
> Enjoy, its that simple..
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Thomas Schweikle via samba
> > Verzonden: woensdag 16 oktober 2019 10:57
> > Aan: Samba
> > Onderwerp: [Samba] Can't setup kerberos auth for samba4 server?
> >
> > Hi!
> >
> > Setup: Debian, Samba 4.11
> >
> > After successfully setting up samba4, I want this machine to
> > authenticate
> > against the running samba4-server. I've created /etc/krb5.conf:
> >
> > [libdefaults]
> >         default_realm = ADA.DE <http://ada.de/>
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = true
> >
> >         kdc_timesync = 1
> >         ccache_type = 4
> >         forwardable = true
> >         proxiable = true
> >
> >         fcc-mit-ticketflags = true
> >
> > [realms]
> >         ADA.DE <http://ada.de/> = {
> >                 kdc = ad01.ada.de
> >                 kdc = ad02.ada.de
> >                 admin_server = ad01.ada.de
> >                 chpasswd_server = ad01.ada.de
> >                 default_domain = ada.de
> >         }
> >
> > [domain_realm]
> >         .ada.de = ADA.DE <http://ada.de/>
> >         ada.de = ADA.DE <http://ada.de/>
> >
> >
> > kinit works:
> > # kinit Administrator
> > Passwort für Administrator at ADA.DE:
> > Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> > ablaufen.
> > #klist
> > Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> > Standard-Principal: Administrator at ADA.DE
> >
> > Valid starting       Expires              Service principal
> > 16.10.2019 10:22:13  16.10.2019 20:22:13  krbtgt/ADA.DE at ADA.DE
> >         erneuern bis 17.10.2019 10:22:08
> >
> > But:
> > # net ads join -k
> > Host is not configured as a member server.
> > Invalid configuration.  Exiting....
> > Failed to join domain: This operation is only allowed for the
> > PDC of the
> > domain.
> >
> > It is quite true this host is not configured as a member
> > server -- it is
> > the PDC! So what do I have to do to make this host use the
> > running samba4
> > to authenticate users? sssd fails because it cant find
> > /etc/krb5.keytab.
> >
> > /etc/sssd/sssd.conf is set to:
> > [sssd]
> > services = nss, pam, autofs
> > domains = ADA.DE <http://ada.de/>
> > debug_level = 0x0270
> >
> > [domain/ADA.DE <http://ada.de/>]
> > enumerate = true
> > cache_credentials = True
> > krb5_realm = ADA.DE <http://ada.de/>
> > ldap_search_base = dc=ada,dc=de
> > krb5_server = ad01.ada.de, ad02.ada.de
> > id_provider = ad
> > auth_provider = ad
> > ldap_uri = ldap://ad01.ada.de:389/, ldap://ad02.ada.de:389/
> > ldap_id_use_start_tls = True
> > ldap_tls_cacertdir = /etc/openldap/cacerts
> > debug_level = 0x0270
> >
> > [nss]
> > homedir_substring = /home
> > debug_level = 0x0270
> >
> > [pam]
> > debug_level = 0x0270
> >
> > [sudo]
> > debug_level = 0x0270
> >
> > [autofs]
> > debug_level = 0x0270
> >
> > [ssh]
> > debug_level = 0x0270
> >
> > [pac]
> > debug_level = 0x0270
> >
> > [ifp]
> > debug_level = 0x0270
> >
> > [secrets]
> > debug_level = 0x0270
> >
> > [session_recording]
> > debug_level = 0x0270
> >
> > Any hint, link, Howto would be great help!
> >
> > --
> > Thomas
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Thomas


More information about the samba mailing list