[Samba] Can't setup kerberos auth for samba4 server?

Thomas Schweikle tschweikle at gmail.com
Mon Oct 21 14:26:16 UTC 2019


On Wed, Oct 16, 2019 at 6:36 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 16/10/2019 17:24, Thomas Schweikle via samba wrote:
> > It is not a member server it's the PDC.
> It is NOT a PDC, that is an NT4-style domain controller, you seem to be
> talking about an AD DC with the PDC Emulator FSMO role.
> > And after configuring
> > /etc/krb5.conf you'll be able to
> > # kinit Administrator
> > Passwort für Administrator at ADA.DE:
> > Warnung: Ihr Passwort wird in 39 Tagen am Mo 25 Nov 2019 08:22:41 CET
> > ablaufen.
>
> Your /etc/krb5.conf needs to contain only this:
>
> [libdefaults]
>      default_realm = ADA.DE
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>
> >
> > And now:
> > # net ads join -k
> NO, not on an AD DC, you cannot join it to the domain, it is already joined
> > Host is not configured as a member server.
> > Invalid configuration.  Exiting....
> > Failed to join domain: This operation is only allowed for the PDC of the
> > domain.
> >
> > But to authenticate on this PDC
> This is not a PDC
> > against the running samba I need some way
> > to have /etc/krb5.keytab created ... some Howto this would be done would
> be
> > nice!
> >
> Why didn't you say that in the first place ;-)
>
> samba-tool domain exportkeytab /etc/krb5.keytab
>
> Now you know how to create the keytab, why do you need it
>

I want this server them self to authenticate against samba. I do not want
to have the user base more than once. sssd seems to need a working
/etc/krb5.keytab.



> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Thomas


More information about the samba mailing list