The minimum smb.conf contains the lines given in Example 7 2.

Example 7 2   smb.conf for joining Active Directory domain

[global]

realm = AD6380.LOCAL

security = ads

password server = SMB3LAB26

For the realm take care to use the correct case, since Kerberos is case sensitive. 

The minimum krb5.conf looks like Example 7 3.

Example 7 3   krb5.conf for joining Windows 200x Kerberos realm

[libdefaults]

default_realm = AD6380.LOCAL

[realms]

AD6380.LOCAL = {

kdc = SMB3LAB26:88

admin_server = SMB3LAB26

}

[domain_realm]

.kerberos.server = AD6380.LOCAL

Make sure the name of the Kerberos server is in the DNS in such a way that a 

reverse lookup on the IP address returns the NetBIOS name of the KDC or the 

NetBIOS name followed by the realm. It should not return the host name with a 

domain attached. The easiest way to ensure this is by putting it in the /etc/hosts 

entry.

Since Kerberos tickets are heavily time dependent, it is important to make sure 

that the AD server and clients have the same time. As Windows clients get their 

time from the domain controller the Linux client can use Samba tools to get the 

time from the server as well. You do this using the 

net time set

 command. This 

fetches the time from the AD server and sets the local clock.

Important:

 Make sure clients and the Active Directory (or Kerberos) server 

have the same time within a defined allowed skew.

You can test the Kerberos configuration by doing a 

kinit USERNAME@REALM 

to 

make sure the password is accepted by the Windows 200x KDC.

 Chapter 7. Integration how tos 

135