[Samba] Can't setup kerberos auth for samba4 server?

Rowland penny rpenny at samba.org
Wed Oct 16 16:35:55 UTC 2019

On 16/10/2019 17:24, Thomas Schweikle via samba wrote:
> It is not a member server it's the PDC.
It is NOT a PDC, that is an NT4-style domain controller, you seem to be 
talking about an AD DC with the PDC Emulator FSMO role.
> And after configuring
> /etc/krb5.conf you'll be able to
> # kinit Administrator
> Passwort für Administrator at ADA.DE:
> Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> ablaufen.

Your /etc/krb5.conf needs to contain only this:

     default_realm = ADA.DE
     dns_lookup_realm = false
     dns_lookup_kdc = true

> And now:
> # net ads join -k
NO, not on an AD DC, you cannot join it to the domain, it is already joined
> Host is not configured as a member server.
> Invalid configuration.  Exiting....
> Failed to join domain: This operation is only allowed for the PDC of the
> domain.
> But to authenticate on this PDC
This is not a PDC
> against the running samba I need some way
> to have /etc/krb5.keytab created ... some Howto this would be done would be
> nice!
Why didn't you say that in the first place ;-)

samba-tool domain exportkeytab /etc/krb5.keytab

Now you know how to create the keytab, why do you need it ?


More information about the samba mailing list