Hubba's Blog

Category Archives | Automation | HowTo | Packaging (RPM) | Shell Scripting | System - AIX | System - Apple / OSX | System - Linux | System - Solaris | System - Windows | Virtualization |

Date Archives | June 2025 | February 2025 | December 2024 | March 2024 | February 2024 | December 2023 | August 2023 | June 2023 | March 2023 | October 2022 | June 2022 | November 2020 | March 2012 | December 2011 | October 2011 | September 2011 | December 2010 | July 2010 | June 2010 |

RSS Feed

EXIT

Archive for the System - Windows category

Managing AD Computer Accounts with adcli and kerberos on Linux

Posted on Mon, Jun 02, 2025 at 12:12 by Hubertus A. Haniel

When configuring Samba on Linux against active directory these steps are part of this as well but you may just want to use kerberos on its own so these are the initial streps to get it working on RHEL8/9

First you need to install the krb5-workstation and adcli packages which should be available in the default repos.

Then you need to configure /etc/krb5.conf to reflect your AD domain (mine is upnor.localnet.lan)

    
 includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = UPNOR.LOCALNET.LAN
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  UPNOR.LOCALNET.LAN = {
  kdc = 192.168.0.10
  }

Now we need to join the domain and for this the command is something like:

 adcli join -v --domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan
  

Note that the OU stuff seems back to front to what it shows in the Windows Active Directory GUI where my OU or path is "\SERVERS\Unix Samba Servers" and you obviously have to escape the spaces with \ - The userid needs to be somebody that has the rights to manage computer accounts in that OU. - This has to be run as root.

The command will create the computer account and the /etc/krb5.keytab file.

You should now be able to get a kerberos ticket with "kinit <userid>"

Now we are in a position to run other commands and we can authenticate against AD with the kerberos ticket (-C option)

So we can for example create a SPN for our host (again as root as /etc/krb5.keytab will get modified)

 adcli update --add-service-principal=cifs/alias.upnor.localnet.lan --domain "upnor.localnet.lan" -v -C
  

alias.localnet.lan is an alias to my server running samba and we may need this to authenticate against samba on this server using this alias. - All these commands I have run in verbose mode (-v) as with this command I noticed that while adding an SPN where the update in AD failed but it still carried on updating the local keytab file.

We should be able to query the SPN from a windows client using "setspn -T upnor.localnet.lan -Q */alias.upnor.localnet.lan"

We can also pre-set a computer account for another server that may not have adcli installed but we want to join the domain using samba with "net ads join -U <userid>" because samba for some reason does not create computer accounts and certainly can not create them in a specific OU:

 adcli preset-computer <other server name> -domain "upnor.localnet.lan" -U <userid> -O OU=Unix\ Samba\ Servers,OU=SERVERS,DC=upnor,DC=localnet,DC=lan -v -C
  

The only bit I can not figure out is how to edit the SPN's for a remote host like you can with setspn in windows - I have, without success, tried various combinations to archive the same as:

 setspn -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the domain
 setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"   

If you work it out - let me know and I will add it here!

Edited on: Mon, Jun 02, 2025 13:30

Posted in HowTo (RSS), System - Linux (RSS), System - Windows (RSS)

Nothing for Windows?

Posted on Wed, Aug 02, 2023 at 14:24 by Hubertus A. Haniel

Hmm - just clicking around the links I noticed I have a Windows category which is completely empty - Well not sure why I even created a Windows category as I do very little with Windows so that is why it would be empty. Only thing is I do with Windows is that I run a samba server in my house as an old NT domain controller and even that is now becoming redundant since Windows 10 does not work with that and I hardly ever use Windows 10 since I have an Apple Mac book.

Posted in System - Windows (RSS)

Welcome - Notes from a Linux/Unix Engineer

Posted on Tue, Jun 01, 2010 at 11:11 by Hubertus A. Haniel

I used to collect notes documents and HOWTO's at http://www.rootunix.org  which are now archived at http://www.unixcook.com/old-unix-docs/  as it was difficult to maintain and I got lazy with it. I have come across a cross-platform blog software called Thingamablog   which is written in Java so it works on Windows and Unix and I am hoping that it will enable me to publish useful notes at a quicker pace with not a lot of messing around.

We will see how successful that will be....

Posted in Automation (RSS), HowTo (RSS), Packaging (RPM) (RSS), Shell Scripting (RSS), System - AIX (RSS), System - Apple / OSX (RSS), System - Linux (RSS), System - Solaris (RSS), System - Windows (RSS), Virtualization (RSS)