Please see mail sent to samba mailing list. Having looked into the I don't beleive knowing the computer account password will help when using Microsoft ktutil to generate a keytab key as ktutil seems to only search for user objects not computer objects. Therefore I'm left with the problem that if I join my Samba server to an AD domain I am subsiquently unable to create additional keytabs for other services for a user object with the same name as the Samba created computer object within AD using ktutil (and vice versa). MS URL http://www.microsoft.com/technet/treeview/default.asp? url=/technet/prodtechnol/windows2000serv/howto/kerbstep.asp > Hi All, > > anyone else found that adding a Samba server to an AD domain > appears to be incompatible with using an AD Kerberos realm to > provide other Kerberised services such as NFS from the same > UNIX host? > Problem I have is that when you join an AD domain thorough > Samba 3.x net command this creates a computer account in the > AD to which the administrator does not know the account password. > If you following MS guidelines for configuring other UNIX > Kerberised services to authenticate against a Windows Kerberos > realm (AD domain) you are instructed to use a user account not > a computer account because to generate a keytab file for your > Kerberised service you must know the password for the Kerberos/AD > account. > As you cannot have an AD computer account with the same name as > an AD user account it would seem to me that using Kerberised > Samba is mutually exclusive with providing generic Kerberised > UNIX services from a single UNIX machine. Surely this will cause > many people problems if this is the case, have I missed something? This issue is intended to be addressed - but you can find out the (current) machine account password - just read the plaintext out of the secrets.tdb (root-only access, naturally). Either tdbtool, or a simple 'less' should show it. I think there may even have been some patches flying about to fix this, but I'm not sure... Feel free to file a bug (if there is not one already present) into bugzilla.samba.org Andrew Bartlett
Hi, I've had it pointed out to me that to use a computer account as a user account you must add a "$" onto the end of the account name. Having tried this with ktpass I found this does indeed work. However to use ktpass in conjunction with Samba 3.x joined to the AD you still need a method of either telling Samba what password to use when creating its computer account or asking it what its password is after joining the AD so a consistant password is used by both Samba and ktpass. Otherwise using ktpass will break samba and vice versa.
reseting target milestone. 3.0.1 has been frozen. WIll have to re-evaluate these.
Fixed in 3.0.6 (see the 'use keytab' smb.conf(5) option)
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.