The short answer: Use Kerberos 1.3.3 or greater and you should be fine. Use "kinit [EMAIL PROTECTED]" to verify that Kerberos is basically working, then "net join ads -U [EMAIL PROTECTED]" to join the domain. For me, it worked best to create the machine account with AD administrator tool before I joined the domain (partly because the AD domain admin refused to delegate the authority to create accounts).
I expect that http://us3.samba.org/samba/docs/man/Samba-HOWTO- Collection/domain-member.html#ads-member is the page 75 that you mentioned, and that covers the steps reasonably well. The long answer: I found this page from Microsoft helpful: http://support.microsoft.com/default.aspx?scid=kb;en-us;296842 . Microsoft basically supports 3 encryption types: • RC4-HMAC • DES-CBC-MD5 • DES-CBC-CRC However, note that "support for DES-CBC-CRC ... is primarily for MIT Kerberos interoperability", and "You cannot configure a Windows 2000- based client to request a TGT by using the DES-CBC-CRC encryption type." which means that in practice DES-CBC-CRC doesn't work. (MIT Kerberos 1.2.x supports only DES3-HMAC-SHA1 and DES-CBC-CRC. Although DES-CBC- CRC is on both lists, it doesn't work.) What this means is that your Kerberos version should support the RC4- HMAC encryption type, which is Microsoft's default. (MIT Kerberos 1.3.x does. I don't know much about Hemidal, but it should too.) A tool called klist will tell you what tickets you have, and you can also get klist for Windows clients, to see what ticket types your domain is using (also, a tool called Kerbtray, in the windows 2000 resource kit.) You shouldn't have to configure anything special in your krb5.conf, although I added a realms section to mine, to specify nearby domain controllers for our global domains. Regards, Gordon On Wed, 2005-06-08 at 09:48 -0400, Andy Pierce wrote: > Hello. I currently have Samba running on AIX and joined to an NT4 > domain. I need to change this membership to new Active Directory > domain. Yes, it is running in Native Mode. I understand that Kerberos > is *the* requirement to make this work. Are there any special Kerberos > versions, configuration options, etc. that are required? > > The Official Samba-3 HOWTO and Reference Guide (Terpstra and Vernooij) > says on page 75 in the Samba ADS Domain Membership section, "A > familiarity with Kerberos is assumed." That's fine but, since I am not > the sysadmin, I need to learn these requirements and communicate them > to him. > > The only requirement I have is that our AIX system joins the AD as a > client. I am NOT trying to configure Samba as a DC or anything like > that. > > Thanks a million! > > Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
