You might be right, but the use of "kinit" is only mentioned for testing purposes, but not as an essential part of the implementation...
My process generates following credentials: [EMAIL PROTECTED] root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 10/01/03 14:24:47 10/02/03 00:25:36 krbtgt/[EMAIL PROTECTED] renew until 10/02/03 14:24:47 10/01/03 14:25:57 10/02/03 00:25:36 [EMAIL PROTECTED] renew until 10/02/03 14:24:47 10/01/03 14:25:57 10/01/03 14:27:57 kadmin/[EMAIL PROTECTED] renew until 10/01/03 14:27:57 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] root]# Your process generates following credentials: [EMAIL PROTECTED] root]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 10/02/03 13:16:21 10/02/03 23:17:10 krbtgt/[EMAIL PROTECTED] renew until 10/03/03 13:16:21 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED] root]# Any suggestions? Regards, Axel. Quoting Andrew Smith-MAGAZINES <[EMAIL PROTECTED]>: > The purpose of "net ads join -U Administrator%password" (password is > required) is not to obtain a Kerberos ticket but to create a computer account > in the AD thereby setting up the trust required for other clients to > authenticate to the Samba server with an AD Kerberos TGT. Use kinit from any > client system, after doing the net ads join on the Samba server, to get your > TGT and I think you'll find everything works as intended, > > thanks Andy. > > -----Original Message----- > From: Axel Suppantschitsch [mailto:[EMAIL PROTECTED] > Sent: 02 October 2003 10:29 > To: [EMAIL PROTECTED] > Subject: [Samba] "net ads join" Kerberos credentials only after "kinit"? > > > According to the latest version of the Samba Documentation there are three > major > steps to add a samba server as member server to an ADS: > > 1.) Configure samba correctly to use ADS (smb.conf). > 2.) Configure Kerberos correctly to work with ADS KDC (krb5.conf). > 3.) Join the samba server with "net ads join -U Administrator". > > Well, all this sounds good, but it definetly doesn't work, you won't have > any > kerberos tickets in your credentials cache after this process. So either > the > samba documentation is incomplete, or there is a bug in samba. > > Anyway, it seems that I found a workable solution: > > I use Samba 3.0.0 release. > I use MIT Kerberos libaries 1.3.1 (Don't know if this works with Heimdal). > I tested this with Windows 2000 and Windows 2003 Servers. It worked on both. > > > 1.) Do a "kinit [EMAIL PROTECTED]". This will get you initial > kerberos > credentials. It is essential to get credentials _BEFORE_ step #2! > 2.) Do a "net ads join". This will use your kerberos credentials from step > #1 > and add the samba server to your ADS domain without the need to specify a > username or a password. > 3.) Do a "klist" and you will see three different tickets in your kerberos > credentials cache. > 4.) Do a "smbclient -k \\windowsserver\share" and it should connect you > without > enterning username and password. > > At this point I ask you guys, whether this is a bug or a feature: > > 1.)If it is a feature the samba documentation needs to be changed in order > to > require valid Administrator kerberos credentials _BEFORE_ doing a "net ads > join". This needs to be explicitely mentioned! > > 2.)If it is a bug, you know what you have to do... ;) > > Hope this helps all the guys out there struggeling with the same problem > and > asking me for help... ;) > > Regards, Axel. > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > BBCi at http://www.bbc.co.uk/ > > This e-mail (and any attachments) is confidential and may contain personal > views which are not the views of the BBC unless specifically > stated. > If you have received it in error, please delete it from your system. Do not > use, copy or disclose the information in any way nor act in > reliance on it and notify the sender immediately. Please note that the BBC > monitors e-mails sent or received. > Further communication will signify your consent to this. > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba