Is it EVER needed to set up kerberos manually if you usesamba to join an ADS domain as a domain member?
in [Samba]
|
From: Clayton Hill on 23 Apr 2010 17:10 John, The posts in this original thread posed the question if net ads join was sufficient in all cases as there are plenty of messy howto guides on the net with differing opinions on this ie. having to additionally set up Kerberos manually. The reason why some folks say set up Kerberos by hand was enigmatic to say the least and the thread died months ago.. Below is the use case where a additional Kerberos set up is needed to enable administration via the computer management snapin which does not work right with a "net ads join" only set up. I am hoping someone else can verify this result... and net ads join can be improved to allow proper config so the computer management console can be used normally with samba without separate Kerberos setup. Regards, Clayton Hill -----Original Message----- From: John H Terpstra [mailto:jht(a)samba.org] Sent: Friday, April 23, 2010 7:38 AM To: Gary Wardell Cc: Clayton Hill; samba(a)lists.samba.org Subject: Re: [Samba] Is it EVER needed to set up kerberos manually if you usesamba to join an ADS domain as a domain member? Gary, Microsoft Windows networking is a complex technology. When the MS Windows environment is set up appropriately, OpenSUSE 11.x should be able to join an Active Directory domain without requiring separate manual configuration of kerberos. That should happen behind the YaST2 interface. Please also be aware that you have copied a volunteer subscriber mailing list from which you may (or may not) receive answers. The answers you receive from this list are not necessarily correct, even though the person responding may have the best of intent. If you need professional assistance please refer to the commercial support listings at http://samba.org/samba/support There is never a need to create local accounts when Active Directory domain membership has been correctly set up. It is not only not ideal, it also means that your system is not set up correctly at all. Kind regards, John Terpstra On 04/22/2010 11:47 PM, Gary Wardell wrote: > Hi, > > thank you for this information. Now if I can actually do it. > > I am a long time windows admin and have never had to mess with kerberos. Always I would simply go to the member machine and join > the domain and everything would work. I sort of assumed Samba would be as easy and work the same way. Especially since my > "friend" said that OpenSUSE with Yast would take care of all of the pluming necessary to set things up. No so, and I have been > fighting with Samba ever since. I finally got it to sort of work be creating user accounts on the Linux machine that mirrored the > AD accounts that were trying to access it. But that is far from ideal. > > Gary > >> -----Original Message----- >> From: samba-bounces(a)lists.samba.org >> [mailto:samba-bounces(a)lists.samba.org]On Behalf Of Clayton Hill >> Sent: Thursday, April 22, 2010 17:49 >> To: samba(a)lists.samba.org >> Cc: Duncan Fiander >> Subject: [Samba] Is it EVER needed to set up kerberos manually if you >> usesamba to join an ADS domain as a domain member? >> >> >> Hi folks! >> >> >> >> We finally have an answer to a question posted in 2009... and >> the answer >> is: YES SET UP KERBEROS. >> >> Here is the original thread: >> >> http://www.pubbs.net/200910/samba/27283-samba-is-it-ever-neede >> d-to-set-u >> p-kerberos-manually-if-you-use-samba-to-join-an-ads-domain-as- >> a-domain-m >> ember.html >> >> >> >> >> >> Now here is the correct answer: >> >> -------------------------------------------------------------- >> ---------- >> -------- >> >> Just a quick experiment for you to try. >> >> >> >> Logon to a samba member server that has joined a domain and run the >> following: >> >> >> >> This should show that we have no Kerberos ticket since we did not do a >> kinit. >> >> (This is because we used net ads join -U Administrator and joined the >> domain only through the net ads function.) >> >> #klist >> >> >> >> Now query the domain and check the response >> >> #net ads user >> >> #net ads group >> >> >> >> From the Computer Management Snap-In on Windows, connect to the samba >> member server and check to see if you can change ACL's on a >> Share and if >> it has any effect. >> >> >> >> Now initialize Kerberos. >> >> #kinit -U admin(a)MYDOMAIN.NET >> >> >> >> Re-run the commands above and note the change >> >> #klist >> >> #net ads user >> >> #net ads group >> >> >> >> From the Computer Management Snap-In on Windows, connect to the samba >> member server and check to see if you can change ACL's on a Share >> >> >> >> You should find that with Kerberos enabled we are able to see >> objects in >> AD we were not previously able to display. >> >> >> >> Also in the MMC Snap-In if you remove Everyone from the >> share you will >> no longer have access to the share. If you add everyone back in, they >> will have access. >> >> >> >> You can also add ACL's via Windows Explorer as before. >> >> >> >> As you can see, this is an important ability you miss out on >> if you only >> use net ads join to get your Kerberos ticket. >> >> I would hope that a samba team contributor eventually implements this >> into the net ads join function better so this isn't needed. >> >> >> >> >> >> -Give credit where it is due- >> >> Originally Submitted by: >> >> Duncan Fiander >> >> >> >> >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gary Wardell on 23 Apr 2010 01:10 Hi, thank you for this information. Now if I can actually do it. I am a long time windows admin and have never had to mess with kerberos. Always I would simply go to the member machine and join the domain and everything would work. I sort of assumed Samba would be as easy and work the same way. Especially since my "friend" said that OpenSUSE with Yast would take care of all of the pluming necessary to set things up. No so, and I have been fighting with Samba ever since. I finally got it to sort of work be creating user accounts on the Linux machine that mirrored the AD accounts that were trying to access it. But that is far from ideal. Gary > -----Original Message----- > From: samba-bounces(a)lists.samba.org > [mailto:samba-bounces(a)lists.samba.org]On Behalf Of Clayton Hill > Sent: Thursday, April 22, 2010 17:49 > To: samba(a)lists.samba.org > Cc: Duncan Fiander > Subject: [Samba] Is it EVER needed to set up kerberos manually if you > usesamba to join an ADS domain as a domain member? > > > Hi folks! > > > > We finally have an answer to a question posted in 2009... and > the answer > is: YES SET UP KERBEROS. > > Here is the original thread: > > http://www.pubbs.net/200910/samba/27283-samba-is-it-ever-neede > d-to-set-u > p-kerberos-manually-if-you-use-samba-to-join-an-ads-domain-as- > a-domain-m > ember.html > > > > > > Now here is the correct answer: > > -------------------------------------------------------------- > ---------- > -------- > > Just a quick experiment for you to try. > > > > Logon to a samba member server that has joined a domain and run the > following: > > > > This should show that we have no Kerberos ticket since we did not do a > kinit. > > (This is because we used net ads join -U Administrator and joined the > domain only through the net ads function.) > > #klist > > > > Now query the domain and check the response > > #net ads user > > #net ads group > > > > From the Computer Management Snap-In on Windows, connect to the samba > member server and check to see if you can change ACL's on a > Share and if > it has any effect. > > > > Now initialize Kerberos. > > #kinit -U admin(a)MYDOMAIN.NET > > > > Re-run the commands above and note the change > > #klist > > #net ads user > > #net ads group > > > > From the Computer Management Snap-In on Windows, connect to the samba > member server and check to see if you can change ACL's on a Share > > > > You should find that with Kerberos enabled we are able to see > objects in > AD we were not previously able to display. > > > > Also in the MMC Snap-In if you remove Everyone from the > share you will > no longer have access to the share. If you add everyone back in, they > will have access. > > > > You can also add ACL's via Windows Explorer as before. > > > > As you can see, this is an important ability you miss out on > if you only > use net ads join to get your Kerberos ticket. > > I would hope that a samba team contributor eventually implements this > into the net ads join function better so this isn't needed. > > > > > > -Give credit where it is due- > > Originally Submitted by: > > Duncan Fiander > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: Permission problems on Mac OS X Next: Undocumented TDB files |