[CLUE-Tech] Samba 3 & Active Directory

Mike Staver staver at fimble.com
Wed Aug 25 23:20:31 MDT 2004 

Realm is a kerberos term that is similar to a Windows domain (pre-AD). 
It's a thing that holds/administers accounts.  MS doesn't use that term 
so I'd guess it's like an AD forest (or it could be domain, I'm not sure).

>
> In AD you can set up an external trust to a Kerberos realm.  I don't 
> think that's what you want, you probably want your realm set so that 
> Linux pretends to be a member of AD (but I don't know how well Samba 
> pulls that off yet).  If you have just one domain in your forest, use 
> that.
>
> [...]
>
>> Then when I try this:
>>
>> timmy:/srv/www/htdocs # net ads join -U Administrator%xxxxxxxxx
>> [2004/08/25 15:56:33, 0] libads/kerberos.c:ads_kinit_password(137)
>>
>> I get an error:
>>
>> kerberos_kinit_password Administrator at GLOBALTAXNETWORK.COM failed: 
>> Cannot contact any KDC for requested realm
>
>
> This is where you need to understand Kerberos.  Go read their docs.
>
> FWIW, KDC is key distribution center, one of the services Kerberos 
> uses.  In AD that stuff is handled by DCs which are located by SRV 
> records in DNS.  I don't know how Linux would do it--but the KDC 
> server is probably (one of) your domain controller and the realm is 
> probably the domain name.  MS might have docs on their Kerberos that 
> help.
>
> What functional level is your AD domain?  (I'm not completely sure 
> that matters.)  AD supports NTLM and NTLMv2 authentication with the 
> right settings.  You should be using that until you grok Kerberos.
>
Thanks Dave - I did end up getting it to work with this config:

[libdefaults]
        default_realm = GLOBALTAXNETWORK.COM
        clockskew = 300

[realms]
        GLOBALTAXNETWORK.COM = {
                kdc = pip.globaltaxnetwork.com
                default_domain = RTSENTERPRISE
                kpasswd_server = pip.globaltaxnetwork.com
        }
YOUR.KERBEROS.REALM = {
        kdc = pip.globaltaxnetwork.com
}

[domain_realms]
        .pip.globaltaxnetwork.com = globaltaxnetwork.com
[domain_realm]
        .RTSENTERPRISE = GLOBALTAXNETWORK.COM
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
        }

I just wanted this linux box to be a part of the windows AD site so that 
I could assign windows users permissions to the shared folders.  I had 
always accomplished this easily in Samba 2.X by creating my own 
smbpasswd and smbuser files on the linux box.  But, with Samba 3.X, that 
doesn't work for some reason - you can't assign any windows users 
permissions to edit the properties of files, such as the read-only 
attribute.  My version control software automatically sets that bit in 
windows, but was no longer allowed to in 3.X, so I had to make it a part 
of the AD site so I could accomplish this.  If anybody else wants to try 
this, I had run into almost every error you could in Suse 9.1, so feel 
free to shoot me an email because I should be able to get you through it 
now. The last step for me would be to set up the linux box so that 
windows users could log into it - but I have no need for that right now.

More information about the clue-tech mailing list