[CLUE-Tech] Samba 3 & Active Directory
Mike Staver
staver at fimble.com
Wed Aug 25 23:20:31 MDT 2004
Realm is a kerberos term that is similar to a Windows domain (pre-AD).
It's a thing that holds/administers accounts. MS doesn't use that term
so I'd guess it's like an AD forest (or it could be domain, I'm not sure).
>
> In AD you can set up an external trust to a Kerberos realm. I don't
> think that's what you want, you probably want your realm set so that
> Linux pretends to be a member of AD (but I don't know how well Samba
> pulls that off yet). If you have just one domain in your forest, use
> that.
>
> [...]
>
>> Then when I try this:
>>
>> timmy:/srv/www/htdocs # net ads join -U Administrator%xxxxxxxxx
>> [2004/08/25 15:56:33, 0] libads/kerberos.c:ads_kinit_password(137)
>>
>> I get an error:
>>
>> kerberos_kinit_password Administrator at GLOBALTAXNETWORK.COM failed:
>> Cannot contact any KDC for requested realm
>
>
> This is where you need to understand Kerberos. Go read their docs.
>
> FWIW, KDC is key distribution center, one of the services Kerberos
> uses. In AD that stuff is handled by DCs which are located by SRV
> records in DNS. I don't know how Linux would do it--but the KDC
> server is probably (one of) your domain controller and the realm is
> probably the domain name. MS might have docs on their Kerberos that
> help.
>
> What functional level is your AD domain? (I'm not completely sure
> that matters.) AD supports NTLM and NTLMv2 authentication with the
> right settings. You should be using that until you grok Kerberos.
>
Thanks Dave - I did end up getting it to work with this config:
[libdefaults]
default_realm = GLOBALTAXNETWORK.COM
clockskew = 300
[realms]
GLOBALTAXNETWORK.COM = {
kdc = pip.globaltaxnetwork.com
default_domain = RTSENTERPRISE
kpasswd_server = pip.globaltaxnetwork.com
}
YOUR.KERBEROS.REALM = {
kdc = pip.globaltaxnetwork.com
}
[domain_realms]
.pip.globaltaxnetwork.com = globaltaxnetwork.com
[domain_realm]
.RTSENTERPRISE = GLOBALTAXNETWORK.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}
I just wanted this linux box to be a part of the windows AD site so that
I could assign windows users permissions to the shared folders. I had
always accomplished this easily in Samba 2.X by creating my own
smbpasswd and smbuser files on the linux box. But, with Samba 3.X, that
doesn't work for some reason - you can't assign any windows users
permissions to edit the properties of files, such as the read-only
attribute. My version control software automatically sets that bit in
windows, but was no longer allowed to in 3.X, so I had to make it a part
of the AD site so I could accomplish this. If anybody else wants to try
this, I had run into almost every error you could in Suse 9.1, so feel
free to shoot me an email because I should be able to get you through it
now. The last step for me would be to set up the linux box so that
windows users could log into it - but I have no need for that right now.
More information about the clue-tech
mailing list