ldap and active directory configuration
Scott Grizzard
scott at scottgrizzard.com
Thu Jul 15 09:54:45 MDT 2010
Does the machine account appear in AD?
On Jul 15, 2010 4:30 AM, "Malcolm Bodger" <M.Bodger at westminster.ac.uk>
wrote:
Hi Scott,
Yes, I configured kerberos, but running 'getent passwd' only lists the local
users.
The /etc/krb5.conf:
[libdefaults]
default_realm = INTRANET.WMIN.AC.UK
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
ticket_lifetime = 24000
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
INTRANET.WMIN.AC.UK = {
kdc = ISLS-INT-DC-6.WMIN.AC.UK
admin_server = ISLS-INT-DC-6.WMIN.AC.UK
default_domain = INTRANET.WMIN.AC.UK
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.intranet.wmin.ac.uk = INTRANET.WMIN.AC.UK
intranet.wmin.ac.uk = INTRANET.WMIN.AC.UK
[login]
krb4_convert = true
krb4_get_tickets = false
The /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The wbinfo -u and -g options does return the users and groups.
Thanks,
Malcolm.
This e-mail and its attachments are intended for the above named only and
may be confidential. If they have come to you in error you must not copy or
show them to anyone, nor should you take any action based on them, other
than to notify the error by replying to the sender.
------------------------------
From: Scott Grizzard [mailto:scott at scottgrizzard.com]
*Sent:* Thu 15/07/2010 08:49
*To:* Malcolm Bodger
Cc: samba-technical at lists.samba.org
*Subject:* Re: RE: ldap and active directory configuration
Did you configure Kerberos for that server? What does your krb5.conf look
like?
How about you nsswi...
The University of Westminster is a charity and a company
limited by guarantee. Registration number: 977818 England.
Registered Office: 309 Regent Street, London W1B 2UW.
More information about the samba-technical
mailing list