SAMBA again

[Aaron Grewell]

On Fri, 2005-11-18 at 14:55 -0500, Matthew Carpenter wrote:
> On Friday 18 November 2005 13:07, Aaron Grewell wrote:
> >
> > Here's what happens from the Kerb side: When you 'net ads join' a
> > computer account is created in the domain.  Your computer is now part of
> > the Kerberos realm, and can then authenticate users against the KDC (the
> > PDC in this case).  When you use kinit you're authenticating a normal
> > user to test the Kerberos authentication and make sure it's working at
> > all.  If it does, then Kerb isn't what's causing your problem.  If all
> > you want from this machine is for it to be a Samba server then there's
> > no need to worry about PAM, but I believe you'll still need Winbind in
> > order to resolve the users from AD.
> 
> > I'm not sure what you mean here.  If the administrative account is
> > getting locked out that usually means a failed password attempt.  If the
> > computer account is getting locked out that's something different.
> >
> 
> So is there a kerberos daemon which needs to run on the server?  Or is
that 
> only if you run a KDC?

Only on the KDC.  In the case of AD, the Domain Controllers handle
Kerberos automatically.  The Kerberos client bits are all that's needed
for Samba kerb support.  Assuming Windows DNS, you shouldn't even need
to configure Kerberos.  The Kerb client should be able to DNS-resolve
the KDC's without any help.