SAMBA again

Roger Oberholtzer roger
Mon Nov 21 02:23:24 PST 2005 

On Fri, 2005-11-18 at 13:28 -0800, Aaron Grewell wrote:
> On Fri, 2005-11-18 at 14:55 -0500, Matthew Carpenter wrote:
> > On Friday 18 November 2005 13:07, Aaron Grewell wrote:
> > >
> > > Here's what happens from the Kerb side: When you 'net ads join' a
> > > computer account is created in the domain.  Your computer is now part of
> > > the Kerberos realm, and can then authenticate users against the KDC (the
> > > PDC in this case).  When you use kinit you're authenticating a normal
> > > user to test the Kerberos authentication and make sure it's working at
> > > all.  If it does, then Kerb isn't what's causing your problem.  If all
> > > you want from this machine is for it to be a Samba server then there's
> > > no need to worry about PAM, but I believe you'll still need Winbind in
> > > order to resolve the users from AD.
> > 
> > > I'm not sure what you mean here.  If the administrative account is
> > > getting locked out that usually means a failed password attempt.  If the
> > > computer account is getting locked out that's something different.
> > >
> > 
> > So is there a kerberos daemon which needs to run on the server?  Or is
> that 
> > only if you run a KDC?
> 
> Only on the KDC.  In the case of AD, the Domain Controllers handle
> Kerberos automatically.  The Kerberos client bits are all that's needed
> for Samba kerb support.  Assuming Windows DNS, you shouldn't even need
> to configure Kerberos.  The Kerb client should be able to DNS-resolve
> the KDC's without any help.

I may have missed this on in that jungle called 'the docs', but I see in
the samba logs that SAMBA is broadcasting its existence to the net using
its netbios name (sto-opq-src), but XP  users need to use the FQD
(sto-opq-src.scc.se). Just using the netbios name does not work for
them. Sooo, should I be using the FQD as the netbios name? I would not
think so, but I have given up on relying on logic in this particular
area.

I have stepped back to user level security until (if...) ads security is
ever sorted out. That is a different set of problems, but at least they
can access something.

-- 
Roger Oberholtzer
OPQ Systems AB

More information about the Linux-users mailing list