[CLUE-Tech] Samba 3 & Active Directory
David Anselmi
anselmi at anselmi.us
Wed Aug 25 18:47:41 MDT 2004
Mike Staver wrote:
>> Well, I'm trying to understand. For example, here is my smb.conf file:
[...]
>> The part of that file that I question is the line "realm".
Realm is a kerberos term that is similar to a Windows domain (pre-AD).
It's a thing that holds/administers accounts. MS doesn't use that term
so I'd guess it's like an AD forest (or it could be domain, I'm not sure).
In AD you can set up an external trust to a Kerberos realm. I don't
think that's what you want, you probably want your realm set so that
Linux pretends to be a member of AD (but I don't know how well Samba
pulls that off yet). If you have just one domain in your forest, use that.
[...]
> Then when I try this:
>
> timmy:/srv/www/htdocs # net ads join -U Administrator%xxxxxxxxx
> [2004/08/25 15:56:33, 0] libads/kerberos.c:ads_kinit_password(137)
>
> I get an error:
>
> kerberos_kinit_password Administrator at GLOBALTAXNETWORK.COM failed:
> Cannot contact any KDC for requested realm
This is where you need to understand Kerberos. Go read their docs.
FWIW, KDC is key distribution center, one of the services Kerberos uses.
In AD that stuff is handled by DCs which are located by SRV records in
DNS. I don't know how Linux would do it--but the KDC server is probably
(one of) your domain controller and the realm is probably the domain
name. MS might have docs on their Kerberos that help.
What functional level is your AD domain? (I'm not completely sure that
matters.) AD supports NTLM and NTLMv2 authentication with the right
settings. You should be using that until you grok Kerberos.
Dave
More information about the clue-tech
mailing list