|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Problems configuring Kerberos for use with Samba and Active Directory
|
Jason Stelzer had this to say:
> can you ping dim-win2300.dacrib.local ? It looks like you're having a
> resolver problem with the name of the kdc, so no tickets for you.
Yep, and I found out why - I had an entry in the hosts file for
dim-win2300, but had typoed it as "dim-win2003". The DNS was properly
resolving, but the hosts file was not correct. Once I fixed that, I was
able to get a ticket.
root@workhorse:/var/lib# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@DACRIB.LOCAL
Valid starting Expires Service principal
03/23/10 14:59:01 03/24/10 00:59:01 krbtgt/DACRIB.LOCAL@DACRIB.LOCAL
renew until 03/24/10 14:59:01
03/23/10 15:00:55 03/24/10 00:59:01 dim-win2300$@DACRIB.LOCAL
renew until 03/24/10 14:59:01
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I hate hosts files. :-) I should have just left it up for the DNS to
resolve ...
Anyways, that seems to have fixed that. And once I restarted samba, I
was able to browse to it right off, from the other Windows stations on
the LAN.
root@workhorse:/var/lib# net ads info
LDAP server: 10.0.0.60
LDAP server name: dim-win2300.DaCrib.local
Realm: DACRIB.LOCAL
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Tue, 23 Mar 2010 15:07:35 EDT
KDC server: 10.0.0.60
Server time offset: -5
Thank goodness it was something simple. :-)
Thanks
> Double check that your dns is returning what you expect it to for the
> hosts. Once you get dns working correctly again, make sure you can
> ping the kdc and try again. If you can ping it, try adding a -V and
> see if that sheds any more light on things?
>
> On Tue, Mar 23, 2010 at 2:11 PM, Mike Leone <turgon@mike-leone.com> wrote:
>> I know that I used to have this working, and then I went and started
>> playing, and seem to have screwed something up royally.
>>
>> Here's what I have - A Windows 2003 domain named "dacrib.local". The DC
>> in that domain is called "dim-win2300" (IP 10.0.0.60). I have an Ubuntu
>> 9.04 server. Previously, I had added it to the AD domain. But I'm
>> getting errors now.
>>
>> root@workhorse:/etc# /etc/init.d/krb5-kdc restart
>> * Restarting Kerberos KDC krb5kdc
>>
>> krb5kdc: cannot initialize realm DACRIB.LOCAL - see log
>> file for details
>>
>>
>> [fail]
>>
>> root@workhorse:/etc# tail -f /var/log/messages
>> Mar 23 13:46:39 workhorse krb5kdc[4869]: No such file or directory -
>> while initializing database for realm DACRIB.LOCAL
>>
>>
>> root@workhorse:/etc# kinit administrator@DACRIB.LOCAL
>> kinit(v5): Cannot resolve network address for KDC in realm DACRIB.LOCAL
>> while getting initial credentials
>>
>>
>> I am following
>> <http://wiki.samba.org/index.php/Samba_&_Active_Directory> this page as
>> examples. This is the first step, before even configuring Samba. And I'm
>> failing here, altho I can't see why.
>>
>> Here's my krb5.conf. Can somebody slap me upside the head, and tell me
>> where I went wrong?
>>
>> -------------------------------------------
>> root@workhorse:/etc# more krb5.conf
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = DACRIB.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> DACRIB.LOCAL = {
>> kdc = dim-win2300.dacrib.local
>> admin_server = dim-win2300.dacrib.local
>> default_domain = dacrib.local
>> }
>>
>> [domain_realm]
>> .kerberos.server = DACRIB.LOCAL
>> .dacrib.local = DACRIB.LOCAL
>>
>> [kdc]
>> profile = /etc/krb5kdc/kdc.conf
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> -------------------------------------
>>
>> The krb5kdc.conf:
>>
>> root@workhorse:/etc/krb5kdc# more kdc.conf
>> [kdcdefaults]
>> kdc_ports = 750,88
>>
>> [realms]
>> DACRIB.LOCAL = {
>> database_name = /var/lib/krb5kdc/principal
>> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
>> acl_file = /etc/krb5kdc/kadm5.acl
>> key_stash_file = /etc/krb5kdc/stash
>> kdc_ports = 750,88
>> max_life = 10h 0m 0s
>> max_renewable_life = 7d 0h 0m 0s
>> master_key_type = des3-hmac-sha1
>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>> des:normal des:v4 des:norealm des:onlyrealm des:afs3
>> default_principal_flags = +preauth
>> }
>> -------------------------------------
>> The AD is functioning fine, as my Windows clients have no problems
>> finding it, and logging in. So my problem must be my config here. But I
>> don't see where.
>>
>> Anyone?
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group -- http://www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>>
>
>
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|