[WHATSNEW] Samba AD with MIT Kerberos + Version change
Rowland Penny
rpenny at samba.org
Tue May 2 16:28:23 UTC 2017
On Tue, 02 May 2017 18:01:01 +0200
Andreas Schneider <asn at samba.org> wrote:
> The MIT library (kinit) needs to find the KDC. It does this via DNS
> service lookup. Samba has its own DNS server so I think your DNS
> server configured in /etc/resolv.confis not 127.0.0.1 so it can't
> find the KDC.
I had the computers IP as the nameserver in resolv.conf, chenging it to
127.0.0.1 didn't help.
>
> The other option is that in /etc/krb5.conf you specify the kdc ip
> address for the realm.
To save me time trying to find out how to do this, can you tell me how ?
>
> > Am I now supposed to start the MIT kdc ?
>
> Nope.
>
OK, I will give up trying to ;-)
>
> I've provisioned the AD DC with samba-tool which
> created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> system has a different kdc.conf. So you can create it at a special
> location during provision and set it with the 'mit kdc config'
> options.
I have '/etc/krb5kdc/kdc.conf' , which contains:
[kdcdefaults]
kdc_ports = 750,88
[realms]
TEST.TLD = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
Do I need all of that, or only some of it, or do I need to add something
to it ?
I also take it that I need to provision again, but this time add
'--kdc-config-dir=/etc/krb5kdc/kdc.conf'
Rowland
>
>
>
> Andreas
>
>
> Andreas
More information about the samba-technical
mailing list