On Tue, Feb 17, 2009 at 12:24 PM, Joseph L. Casale <JCasale at activenetwerx.com> wrote: >>Ok, here are the default settings that my kickstart file creates to >>allow me to join the domain and have samba manage the keytab. > > Ross, > I was out of town and missed this thread which is of great interest to me > as well. When you say "have samba manage the keytab" do you mean not use one > as have a dedicated service account on the DC and have it generate the keytab > and have it copied over? A lot of solution I have seen use that procedure which > I have never wanted to do for obvious reasons. If you don't have a keytab file when you use samba to join to the domain and you have the 'use kerberos keytab = yes' set in your smb.conf, then samba creates one and populates it with the AD compatible host SPNs and machine password. From that point on it will keep the keytab in sync. I don't know if it will add these if SPNs already exist, I haven't tried it. > Also, I see you also configure ldap to point towards what looks like your AD > server as well. How come you use both Samba/Winbind and ldap? LDAP wasn't necessary, I use it for querying AD attributes using the OpenLDAP tools (I don't trust Microsoft and think they hide attributes in ADSIEdit!). Though I could have used NSS_LDAP instead of Winbind, I just would need to set UID/GID for every user and group in AD which was just too much of a PITA. -Ross