From: Rajesh Ghanekar on 15 Dec 2009 14:10 Hi Ralf, Ralf Hornik Mailings wrote: > Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > >> Hi Ralf, >> Thanks for the help. But I was asking if all 4 points mentioned in >> my mail >> are correct or not, like what if SRV records are not present, etc, >> then what >> should go in krb5.conf and smb.conf? > > Im not clear, what you are asking for. All points 1 - 3 are true. > > Point 1 and 3. Have you got a working DNS? So getting kerberos > credendials works without any krb5.conf (testet 1 minute before). (You > only have to attach the kerberos realm when kinit e.g. "kinit > user(a)REALM.ORG"). Thanks for the information. I have some more questions: - I guess I don't need to do kinit manually if I am using "net ads join" command, right? - Does samba use SRV records for anything else other than finding out domain controller names? If not, I can do away without them by writing manual entries in /etc/krb5.conf. I will be using DNS, but no SRV records. - I found that even when no SRV records are present and wrong (invalid hosts) IP addresses configured for domain controllers (in smb.conf and /etc/krb5.conf), I am still able to join the domain. I am not sure if there is any component which actually does broadcasting and finds out if any domain controller present using this fallback method? Thanks, Rajesh > > If not you have to set krb5.conf like: > > [libdefaults] > default_realm = REALM.ORG > [realms] > REALM.ORG = { > kdc = master.realm.org:88 > kdc = slave.realm.org:88 > admin_server = master.realm.org:749 > default_domain = realm.org > } > [domain_realm] > .realm.org = REALM.ORG > realm.org = REALM.ORG > > Point 2. This is explained by itself and correct. > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Rob Townley on 15 Dec 2009 18:20 On Tue, Dec 15, 2009 at 4:48 AM, Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > Hi All, > I am using samba-3.2.11-0.1.145 in my setup. I have multiple domain > controllers > for a domain. I am confused on do I need to edit /etc/krb5.conf or not. I am > using > MIT kerberos (krb5-1.4.3-19.34) on SLES10. > > Here is what I got from Samba HOWTO: > > 1. Adding entries in /etc/krb5.conf for "kdc =", "admin server =" and > "password server =" > is only necessary if SRV records are not there in DNS server. If SRV > records are there, > no need to configure /etc/krb5.conf. > > 2. /etc/samba/smb.conf should contain the list of domain controllers in > "password server =" line > (space separated) or can contain *, which will get the list from DNS SRV > records. > > 3. If SRV records are not present (may be I migrated my DNS server to linux > box), then > I need to manually enter "kdc =", etc, lines in /etc/krb5.conf. Why not put put the SRV records into your own Linux DNS? > > 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need to > manually configure > /etc/krb5.conf, but only single "admin server =" and "password server =" > line. > How does this /etc/krb5.conf entry for admin server and password server > becomes > HA if the machine specified in admin server and password server goes down? > > Any help appreciated. > > Thanks, > Rajesh > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Ralf Hornik Mailings on 16 Dec 2009 05:40
Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > - I guess I don't need to do kinit manually if I am using "net ads > join" command, right? kinit is a good tool for tesing a kerberos workskation, or when doing local GSSAPI authentication. Not needed for samba. In your smb.conf you have to set the realm unless your local domainname matches the realm name (with lower case) > - Does samba use SRV records for anything else other than finding out domain > controller names? If not, I can do away without them by writing > manual entries > in /etc/krb5.conf. I will be using DNS, but no SRV records. When using no SRV records you have to set only the domaincontrollers in smb.conf. The other stuff (domainname, ...) is netbios related and does not use DNS. Additionally, the realm name in smb.conf must match a configuration in krb5.conf > - I found that even when no SRV records are present and wrong (invalid hosts) > IP addresses configured for domain controllers (in smb.conf and > /etc/krb5.conf), > I am still able to join the domain. I am not sure if there is any > component which > actually does broadcasting and finds out if any domain controller > present using > this fallback method? Samba version 3 can act as a Windows NT/200* member server or as a NT4 Domaincontroller (CMIIW). As member server (your config) it uses RPC and/or SMB to join a domain. Kerberos is used by samba to do any local authentication e.g. getting a shell, or accessing network shares, by winbind for example, or pam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |