Take a computer, alone just installed :)!!

  1. install samba and kerberos
    urpmi samba-client samba-winbind krb5-workstation pam_krb5
  2. configure
    1. /etc/samba/smb.conf:
      workgroup = DPTINFO
      realm = DPTINFO.URS.LOCAL
      security = ads
      password server = *
      use kerberos keytab = yes
    2. /etc/krb5.conf:
      [libdefaults
      default_realm = DPTINFO.URS.LOCAL
      [realms
      DPTINFO.URS.LOCAL = {
      kdc = myad.u-strasbg.fr:88
      admin_server = myad.u-strasbg.fr:749
      default_domain = u-strasbg.fr
      }
      [domain_realm
      .u-strasbg.fr = DPTINFO.URS.LOCAL
  3. Join the AD domain:
    1. Do it:
      $ su -
      Password: ******
      # kinit Administrator
      Password for Administrator@DPTINFO.URS.LOCAL: ******
      # net ads join
      #
    2. Verify :
      # net ads status
      ... Lot of stuff...
      You should see several //servicePrincipalName//, with HOST/FQDN, HOST/hostname, CIFS/FQDN and CIFS/hostname. If your domain name (DNS) isn't your REALM (AD), you should see two FQDN, I see for my example: HOST/ibis.u-strasbg.fr and HOST/ibis.dptinfo.urs.local
  4. On a DC computer with installed supports tools, verify that your linux box is ready, in a cmd.exe box:
    $ setspn -L ibis
    HOST/ibis.u-strasbg.fr
    HOST/ibis
    HOST/ibis.dptinfo.urs.local
    CIFS/ibis.u-strasbg.fr
    CIFS/ibis
    CIFS/ibis.dptinfo.urs.local
  5. Add the SPN for nfs:
    $ setspn -A nfs/ibis ibis
    Registering ServicePrincipalNames for CN=ibis,CN=Computers,DC=DPTINFO,DC=URS,DC=LOCAL
    nfs/ibis.u-strasbg.fr
    Updated object
    (add nfs/fqdn too)
  6. You can verify with setspn -L ibis that the SPN has been added
  7. Try to you your new SPN on the linux box:
    # kvno nfs/ibis.u-strasbg.fr
    nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL: kvno = 0
    and after that, verify that the ticket is valid:
    # klist |grep nfs
    06/17/06 06:48:07 06/17/06 13:09:35 nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL

Here come the problem: it seems that we can't use this SPN for rpc.gssd. What seems to be more confusing is that the keytab which can be generated on windows doesn't seem to be valid:

# kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials

# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
1 nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL (DES cbc mode with CRC-32)