You might be right, but the use of "kinit" is only mentioned for testing
purposes, but not as an essential part of the implementation...
My process generates following credentials:
[EMAIL PROTECTED] root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/01/03 14:24:47 10/02/03 00:25:36 krbtgt/[EMAIL PROTECTED]
renew until 10/02/03 14:24:47
10/01/03 14:25:57 10/02/03 00:25:36 [EMAIL PROTECTED]
renew until 10/02/03 14:24:47
10/01/03 14:25:57 10/01/03 14:27:57 kadmin/[EMAIL PROTECTED]
renew until 10/01/03 14:27:57
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] root]#
Your process generates following credentials:
[EMAIL PROTECTED] root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/02/03 13:16:21 10/02/03 23:17:10 krbtgt/[EMAIL PROTECTED]
renew until 10/03/03 13:16:21
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] root]#
Any suggestions?
Regards, Axel.
Quoting Andrew Smith-MAGAZINES <[EMAIL PROTECTED]>:
> The purpose of "net ads join -U Administrator%password" (password is
> required) is not to obtain a Kerberos ticket but to create a computer account
> in the AD thereby setting up the trust required for other clients to
> authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any
> client system, after doing the net ads join on the Samba server, to get your
> TGT and I think you'll find everything works as intended,
>
> thanks Andy.
>
> -----Original Message-----
> From: Axel Suppantschitsch [mailto:[EMAIL PROTECTED]
> Sent: 02 October 2003 10:29
> To: [EMAIL PROTECTED]
> Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"?
>
>
> According to the latest version of the Samba Documentation there are three
> major
> steps to add a samba server as member server to an ADS:
>
> 1.) Configure samba correctly to use ADS (smb.conf).
> 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf).
> 3.) Join the samba server with "net ads join -U Administrator".
>
> Well, all this sounds good, but it definetly doesn't work, you won't have
> any
> kerberos tickets in your credentials cache after this process. So either
> the
> samba documentation is incomplete, or there is a bug in samba.
>
> Anyway, it seems that I found a workable solution:
>
> I use Samba 3.0.0 release.
> I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal).
> I tested this with Windows 2000 and Windows 2003 Servers. It worked on both.
>
>
> 1.) Do a "kinit [EMAIL PROTECTED]". This will get you initial
> kerberos
> credentials. It is essential to get credentials _BEFORE_ step #2!
> 2.) Do a "net ads join". This will use your kerberos credentials from step
> #1
> and add the samba server to your ADS domain without the need to specify a
> username or a password.
> 3.) Do a "klist" and you will see three different tickets in your kerberos
> credentials cache.
> 4.) Do a "smbclient -k \\windowsserver\share" and it should connect you
> without
> enterning username and password.
>
> At this point I ask you guys, whether this is a bug or a feature:
>
> 1.)If it is a feature the samba documentation needs to be changed in order
> to
> require valid Administrator kerberos credentials _BEFORE_ doing a "net ads
> join". This needs to be explicitely mentioned!
>
> 2.)If it is a bug, you know what you have to do... ;)
>
> Hope this helps all the guys out there struggeling with the same problem
> and
> asking me for help... ;)
>
> Regards, Axel.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
> BBCi at http://www.bbc.co.uk/
>
> This e-mail (and any attachments) is confidential and may contain personal
> views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system. Do not
> use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that the BBC
> monitors e-mails sent or received.
> Further communication will signify your consent to this.
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
