# Kerberos 5 ticket renewal & 'net ads join' w/o authentication



## dougs (Oct 29, 2010)

Hello,

I have two issues with Kerberos administration and this results from my lack of familarity with it. I am hoping someone can point me in the right direction.

The first issue is with automatically renewing the Kerberos tickets. The second issue deals with my having to authenticate each time I attempt to join an AD domain. The Samba documentation indicates that I should *not* have to authenticate when holding a valid Kerberos ticket. When I join an AD domain using administrator credentials, I can basically administer a Samba server well.

I'm running FreeBSD 8.1 using Samba 3.4.9 and the base Heimdal. The AD domain is a W2K3 domain in mixed mode.

I basically used the information from this link listed below to build the configuration files listed above:

http://wiki.samba.org/index.php/Samba_&_Active_Directory

I also looked at several other sources such as :

http://www.freebsd.org/doc/handbook/kerberos5.html

The bottom line is that I'd like to receive a Kerberos ticket using proper authentication and use it to execute the 'net ads join' command without authentication and then continue to renew the ticket automatically.

Now, what changes do I need to do in order to 1) automatically renew Kerberos tickets and 2) be able to execute the 'net ads join' command without supplying a password?

Any pointers/assistance would be greatly appreciated! If I've left out relevant information, please don't hesitate to let me know.

~Doug

Here are the configuration files for the various components:

=============== /etc/krb5.conf ===============


```
[libdefaults]
    default_realm        = DOMAIN.LOCAL
    forwardable          = true

[appdefaults]
    default_realm = DOMAIN.LOCAL
    pam = {
        forwardable      = true
        krb4_convert     = false
        debug            = false
		ticket_lifetime  = 36000
		renew_lifetime   = 36000
    }

[realms]
    DOMAIN.LOCAL = {
        kdc              = aquila.domain.local:88
        kdc              = amd90001.domain.local:88
        admin_server     = aquila.domain.local:749
        kpasswd_server   = aquila.domain.local:464
        kpasswd_protocol = SET_CHANGE
        default_domain   = domain.local
    }

[domain_realm]
    domain.local = DOMAIN.LOCAL
   .domain.local = DOMAIN.LOCAL
   .DOMAIN.LOCAL = DOMAIN.LOCAL

[logging]
         default = FILE:/var/log/krb5lib.log
             kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
```

=============== /usr/local/etc/smb.conf ===============	


```
#======================= Global Settings =====================================
[global]
security = ads
realm = DOMAIN.LOCAL
;workgroup = DOMAIN
workgroup = DOMAIN
;password server = aquila.domain.local 
password server = *
server string = TEST 
netbios name = test 
encrypt passwords = yes 
ldap ssl = no 
client use spnego = yes
unix extensions = no
name resolve order = hosts dns wins lmhosts bcast
wins server = 192.168.xxx.xxx
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
load printers = no
disable spoolss = yes

# Log settings
log level = 1
log file = /var/log/samba/log.%m
max log size = 50
syslog = 1

# Browser settings
local master = no
domain master = no
preferred master = no

# ACL settings
inherit acls = yes
acl compatibility = auto
acl check permissions = true
acl map full control = true
dos filemode = yes

# Config domain security
;idmap backend = ad
;idmap alloc config: range = 50001 - 60000
idmap uid = 50001 - 60000
idmap gid = 50001 - 60000

;idmap config MYDOMAIN:default      = yes
;idmap config MYDOMAIN:backend      = ad
;idmap config MYDOMAIN:range        = 10000 - 50000
;idmap config MYDOMAIN:schema-mode  = sfu
hosts allow = 192.168.101., 192.168.102., 127., 10.8.

# Winbind settings
# Enable offline logon support
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind separator = -
winbind use default domain = no
allow trusted domains = no
;client schannel = no
winbind refresh tickets = yes

# client settings
;template homedir = /usr/home/%D/%U

admin users = @"DOMAIN-domain admins"


#============================ Share Definitions ==============================

[install-public]
   comment = /home/install
   browseable = yes
   path = /home/install
   writable = yes
   create mask = 0774
   directory mask = 0774
   valid users = @"DOMAIN-domain admins"
```

Samba was installed using the following options:


```
OPTIONS=        LDAP            "With LDAP support" off \
                ADS             "With Active Directory support" on \
                CUPS            "With CUPS printing support" on \
                WINBIND         "With WinBIND support" on \
                SWAT            "With SWAT WebGUI" off \
                ACL_SUPPORT     "With ACL support" on \
                AIO_SUPPORT     "With Asyncronous IO support" on \
                FAM_SUPPORT     "With File Alteration Monitor" off \
                SYSLOG          "With Syslog support" off \
                QUOTAS          "With Disk quota support" off \
                UTMP            "With UTMP accounting support" off \
                PAM_SMBPASS     "With PAM authentication vs passdb backends" off \
                DNSUPDATE       "With dynamic DNS update(require ADS)" off \
                AVAHI           "With Bonjour service discovery support" off \
                EXP_MODULES     "With experimental modules" off \
                POPT            "With system-wide POPT library" on \
                MAX_DEBUG       "With maximum debugging" off \
                SMBTORTURE      "With smbtorture" off
```

=============== /etc/nsswitch.conf ===============	


```
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1 2009/08/03 08:13:06 kensmith Exp $
#
#group: compat
group: files winbind
group_compat: nis
#hosts: files dns wins
hosts: files dns
networks: files
#passwd: compat
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```


----------

