Mike Leone on 23 Mar 2010 11:11:51 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Problems configuring Kerberos for use with Samba and Active Directory

I know that I used to have this working, and then I went and started 
playing, and seem to have screwed something up royally.

Here's what I have - A Windows 2003 domain named "dacrib.local". The DC 
in that domain is called "dim-win2300" (IP I have an Ubuntu 
9.04 server. Previously, I had added it to the AD domain. But I'm 
getting errors now.

root@workhorse:/etc# /etc/init.d/krb5-kdc restart
  * Restarting Kerberos KDC krb5kdc 
               krb5kdc: cannot initialize realm DACRIB.LOCAL - see log 
file for details

root@workhorse:/etc# tail -f /var/log/messages
Mar 23 13:46:39 workhorse krb5kdc[4869]: No such file or directory - 
while initializing database for realm DACRIB.LOCAL

root@workhorse:/etc# kinit administrator@DACRIB.LOCAL
kinit(v5): Cannot resolve network address for KDC in realm DACRIB.LOCAL 
while getting initial credentials

I am following 
<http://wiki.samba.org/index.php/Samba_&_Active_Directory> this page as 
examples. This is the first step, before even configuring Samba. And I'm 
failing here, altho I can't see why.

Here's my krb5.conf. Can somebody slap me upside the head, and tell me 
where I went wrong?

root@workhorse:/etc# more krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = DACRIB.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

    kdc = dim-win2300.dacrib.local
    admin_server = dim-win2300.dacrib.local
    default_domain = dacrib.local

.kerberos.server = DACRIB.LOCAL
.dacrib.local    = DACRIB.LOCAL

profile = /etc/krb5kdc/kdc.conf

pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false


The krb5kdc.conf:

root@workhorse:/etc/krb5kdc# more kdc.conf
     kdc_ports = 750,88

         database_name = /var/lib/krb5kdc/principal
         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file = /etc/krb5kdc/kadm5.acl
         key_stash_file = /etc/krb5kdc/stash
         kdc_ports = 750,88
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des:normal des:v4 des:norealm des:onlyrealm des:afs3
         default_principal_flags = +preauth
The AD is functioning fine, as my Windows clients have no problems 
finding it, and logging in. So my problem must be my config here. But I 
don't see where.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug