[Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
in [Samba]
|
From: Clayton Hill on 22 Apr 2010 18:00 Hi folks! We finally have an answer to a question posted in 2009... and the answer is: YES SET UP KERBEROS. Here is the original thread: http://www.pubbs.net/200910/samba/27283-samba-is-it-ever-needed-to-set-u p-kerberos-manually-if-you-use-samba-to-join-an-ads-domain-as-a-domain-m ember.html Now here is the correct answer: ------------------------------------------------------------------------ -------- Just a quick experiment for you to try. Logon to a samba member server that has joined a domain and run the following: This should show that we have no Kerberos ticket since we did not do a kinit. (This is because we used net ads join -U Administrator and joined the domain only through the net ads function.) #klist Now query the domain and check the response #net ads user #net ads group From the Computer Management Snap-In on Windows, connect to the samba member server and check to see if you can change ACL's on a Share and if it has any effect. Now initialize Kerberos. #kinit -U admin(a)MYDOMAIN.NET Re-run the commands above and note the change #klist #net ads user #net ads group From the Computer Management Snap-In on Windows, connect to the samba member server and check to see if you can change ACL's on a Share You should find that with Kerberos enabled we are able to see objects in AD we were not previously able to display. Also in the MMC Snap-In if you remove Everyone from the share you will no longer have access to the share. If you add everyone back in, they will have access. You can also add ACL's via Windows Explorer as before. As you can see, this is an important ability you miss out on if you only use net ads join to get your Kerberos ticket. I would hope that a samba team contributor eventually implements this into the net ads join function better so this isn't needed. -Give credit where it is due- Originally Submitted by: Duncan Fiander -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: Winbind 3.5.2 caching issues under SLES11??? Next: [Samba] RE Undocumented TDB files |