Hi Edward,
Thanks for the link. Creating a computer account & keytab on the
Windows side and copying it back to the Solaris works for my other
services (ssh, etc.) but net ads join clobbers the existing account
and creates a new one which no longer matches the keytab. Is there a
way to get samba / net ads join to just use the existing kerberos
setup / keytab and NOT try to create a new account?
--Rob
On Mar 18, 2009, at 4:56 PM, Edward Irvine wrote:
Rob,
Hi Samba people!
I'm trying to use SAMBA (the version included with Solaris 10)
with an AD.
NET ADS JOIN works like a charm to create a computer object in the
AD for the solaris machine, and SAMBA users are authenticating
without a problem. This is good. HOWEVER -- I also need other
protocols (including ssh and Xinet KA-Share) to authenticate users.
As I understand it, SAMBA uses kerberos to authenticate against
AD, so as long as everyone is using the same keytab file, I'd
expect all to be well. However, I find that when I do net ads join
it doesn't create or modify a keytab file that I can find. I have
use kerberos keytab = true in my smb.conf file, but I can't see
that it actually does anything.
Can anyone steer me in the right direction here? I've been
chasing this for over a month.
The following is a little dated. But see the section in http://users.tpg.com.au/adsl95uc/gssapi-sol10/
that refers to "Windows Active Directory". This is how you get a
vailid /etc/krb5/krb5.keytab file onto your Solaris machine.
Not that you don't *have* to have a krb5.keytab file on your Solaris
Servers to authenticate users, unless you want to do single sign on.
If you just want to have same sign on (same username, same password)
then all the PAM stack needs is a correctly configured /etc/krb5/
krb5.conf file.
There is a section about building your own PAM/OpenSSH/Kerberos
stack which you may be able to ignore.
--Rob
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
