Bug 538 - AD SAMBA Kerberos participation with other ADKerberised services
Summary: AD SAMBA Kerberos participation with other ADKerberised services
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.0
Hardware: All Solaris
: P3 major
Target Milestone: none
Assignee: Jeremy Allison
QA Contact:
URL:
Keywords:
Depends on:
Blocks: 807
  Show dependency treegraph
 
Reported: 2003-09-30 07:52 UTC by Andy Smith
Modified: 2005-08-24 10:25 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Smith 2003-09-30 07:52:20 UTC
Please see mail sent to samba mailing list. Having looked into the I don't 
beleive knowing the computer account password will help when using Microsoft 
ktutil to generate a keytab key as ktutil seems to only search for user objects 
not computer objects. Therefore I'm left with the problem that if I join my 
Samba server to an AD domain I am subsiquently unable to create additional 
keytabs for other services for a user object with the same name as the Samba 
created computer object within AD using ktutil (and vice versa).
MS URL http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windows2000serv/howto/kerbstep.asp

> Hi All,
> 
> anyone else found that adding a Samba server to an AD domain
> appears to be incompatible with using an AD Kerberos realm to 
> provide other Kerberised services such as NFS from the same 
> UNIX host?
> Problem I have is that when you join an AD domain thorough 
> Samba 3.x net command this creates a computer account in the 
> AD to which the administrator does not know the account password. 
> If you following MS guidelines for configuring other UNIX 
> Kerberised services to authenticate against a Windows Kerberos 
> realm (AD domain) you are instructed to use a user account not 
> a computer account because to generate a keytab file for your 
> Kerberised service you must know the password for the Kerberos/AD 
> account.
> As you cannot have an AD computer account with the same name as 
> an AD user account it would seem to me that using Kerberised 
> Samba is mutually exclusive with providing generic Kerberised 
> UNIX services from a single UNIX machine. Surely this will cause 
> many people problems if this is the case, have I missed something?

This issue is intended to be addressed - but you can find out the
(current) machine account password - just read the plaintext out of the
secrets.tdb (root-only access, naturally).  Either tdbtool, or a simple
'less' should show it.

I think there may even have been some patches flying about to fix this,
but I'm not sure...

Feel free to file a bug (if there is not one already present) into
bugzilla.samba.org

Andrew Bartlett
Comment 1 Andy Smith 2003-11-05 03:50:56 UTC
Hi, I've had it pointed out to me that to use a computer account as a user 
account you must add a "$" onto the end of the account name. Having tried this 
with ktpass I found this does indeed work. However to use ktpass in conjunction 
with Samba 3.x joined to the AD you still need a method of either telling Samba 
what password to use when creating its computer account or asking it what its 
password is after joining the AD so a consistant password is used by both Samba 
and ktpass. Otherwise using ktpass will break samba and vice versa.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-12-12 08:27:46 UTC
reseting target milestone.  3.0.1 has been frozen.  WIll have to 
re-evaluate these.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-08-31 07:06:39 UTC
Fixed in 3.0.6 (see the 'use keytab' smb.conf(5) option)
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:25:59 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.