[WHATSNEW] Samba AD with MIT Kerberos + Version change

Rowland Penny rpenny at samba.org
Tue May 2 16:28:23 UTC 2017

On Tue, 02 May 2017 18:01:01 +0200
Andreas Schneider <asn at samba.org> wrote:

> The MIT library (kinit) needs to find the KDC. It does this via DNS
> service lookup. Samba has its own DNS server so I think your DNS
> server configured in /etc/resolv.confis not so it can't
> find the KDC.

I had the computers IP as the nameserver in resolv.conf, chenging it to didn't help.

> The other option is that in /etc/krb5.conf you specify the kdc ip
> address for the realm.

To save me time trying to find out how to do this, can you tell me how ?

> > Am I now supposed to start the MIT kdc ?
> Nope.

OK, I will give up trying to ;-)

> I've provisioned the AD DC with samba-tool which
> created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> system has a different kdc.conf. So you can create it at a special
> location during provision and set it with the 'mit kdc config'
> options.

I have '/etc/krb5kdc/kdc.conf' , which contains:

    kdc_ports = 750,88

    TEST.TLD = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth

Do I need all of that, or only some of it, or do I need to add something
to it ?

I also take it that I need to provision again, but this time add


> 	Andreas
> 	Andreas

More information about the samba-technical mailing list