The Samba-Bugzilla – Bug 538
AD SAMBA Kerberos participation with other ADKerberised services
Last modified: 2005-08-24 10:25:59 UTC
Please see mail sent to samba mailing list. Having looked into the I don't
beleive knowing the computer account password will help when using Microsoft
ktutil to generate a keytab key as ktutil seems to only search for user objects
not computer objects. Therefore I'm left with the problem that if I join my
Samba server to an AD domain I am subsiquently unable to create additional
keytabs for other services for a user object with the same name as the Samba
created computer object within AD using ktutil (and vice versa).
MS URL http://www.microsoft.com/technet/treeview/default.asp?
> Hi All,
> anyone else found that adding a Samba server to an AD domain
> appears to be incompatible with using an AD Kerberos realm to
> provide other Kerberised services such as NFS from the same
> UNIX host?
> Problem I have is that when you join an AD domain thorough
> Samba 3.x net command this creates a computer account in the
> AD to which the administrator does not know the account password.
> If you following MS guidelines for configuring other UNIX
> Kerberised services to authenticate against a Windows Kerberos
> realm (AD domain) you are instructed to use a user account not
> a computer account because to generate a keytab file for your
> Kerberised service you must know the password for the Kerberos/AD
> As you cannot have an AD computer account with the same name as
> an AD user account it would seem to me that using Kerberised
> Samba is mutually exclusive with providing generic Kerberised
> UNIX services from a single UNIX machine. Surely this will cause
> many people problems if this is the case, have I missed something?
This issue is intended to be addressed - but you can find out the
(current) machine account password - just read the plaintext out of the
secrets.tdb (root-only access, naturally). Either tdbtool, or a simple
'less' should show it.
I think there may even have been some patches flying about to fix this,
but I'm not sure...
Feel free to file a bug (if there is not one already present) into
Hi, I've had it pointed out to me that to use a computer account as a user
account you must add a "$" onto the end of the account name. Having tried this
with ktpass I found this does indeed work. However to use ktpass in conjunction
with Samba 3.x joined to the AD you still need a method of either telling Samba
what password to use when creating its computer account or asking it what its
password is after joining the AD so a consistant password is used by both Samba
and ktpass. Otherwise using ktpass will break samba and vice versa.
reseting target milestone. 3.0.1 has been frozen. WIll have to
Fixed in 3.0.6 (see the 'use keytab' smb.conf(5) option)
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.