[Samba] Upgrading to AD
Ron Murray
rjmx at rjmx.net
Wed May 12 01:24:36 UTC 2021
Ah. I thought that might be it. Thanks.
You might consider adding a note to the documentation to that effect.
.....Ron
On Wed, 2021-05-12 at 13:14 +1200, Andrew Bartlett wrote:
> On Tue, 2021-05-11 at 21:02 -0400, Ron Murray via samba wrote:
> > I've been running Samba at home now for at least 20 years. With the
> > discovery that Windows 10 won't do NT4 networks, I figured that I
> > might
> > as well upgrade to AD, since Samba can now be an AD domain
> > controller.
> >
> > I've been running (MIT) Kerberos for almost that long as well (it's
> > handy for authenticating to servers), and at first I was
> > discouraged
> > by
> > Samba's insistence on Heimdal Kerberos. Eventually, I switched, and
> > got
> > that (mostly) working.
> >
> > Then I started to install Samba AD, and discovered that Samba seems
> > to
> > have an inbuilt KDC. Is this correct? Should I be running Samba's
> > inbuilt Kerberos instead? I can't find anything in the
> > documentation
> > mentioning using a pre-existing Kerberos.
>
> Yes, the reason we don't have anything about using a pre-existing
> Kerberos is that it isn't possible. We need to provide the backend
> DB
> to the KDC, so that it matches all the other protocols and includes
> the
> PAC etc.
>
> > Anyway, I limped along, installed as best I could, disabled Samba's
> > kdc
> > in smb.conf, but my heimdal-kdc .log keeps giving errors like
> >
> > Looking for ENC-TS pa-data -- COMPUTER$@EXAMPLE.COM
> >
> > where "COMPUTER" is my KDC/AD controller.
> >
> > Perhaps I missed something in the instructions, because there's
> > obviously no such entry in my Kerberos database. Is this because I
> > should be using Samba's KDC, or is it something else?
>
> Yes, you need Samba's KDC.
>
> Andrew Bartlett
>
--
Ron Murray <rjmx at rjmx.net>
PGP Fingerprint: 4D99 70E3 2317 334B 141E 7B63 12F7 E865 B5E2 E761
More information about the samba
mailing list