[WHATSNEW] Samba AD with MIT Kerberos + Version change

Andreas Schneider asn at samba.org
Tue May 2 16:33:26 UTC 2017 

On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:
> On Tue, 02 May 2017 18:01:01 +0200
> 
> Andreas Schneider <asn at samba.org> wrote:
> > The MIT library (kinit) needs to find the KDC. It does this via DNS
> > service lookup. Samba has its own DNS server so I think your DNS
> > server configured in /etc/resolv.confis not 127.0.0.1 so it can't
> > find the KDC.
> 
> I had the computers IP as the nameserver in resolv.conf, chenging it to
> 127.0.0.1 didn't help.

Then it should work if you create the kdc.conf correctly. See below.

> 
> > The other option is that in /etc/krb5.conf you specify the kdc ip
> > address for the realm.
> 
> To save me time trying to find out how to do this, can you tell me how ?
> 
> > > Am I now supposed to start the MIT kdc ?
> > 
> > Nope.
> 
> OK, I will give up trying to ;-)
> 
> > I've provisioned the AD DC with samba-tool which
> > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> > system has a different kdc.conf. So you can create it at a special
> > location during provision and set it with the 'mit kdc config'
> > options.
> 
> I have '/etc/krb5kdc/kdc.conf' , which contains:
> 
> [kdcdefaults]
>     kdc_ports = 750,88
> 
> [realms]
>     TEST.TLD = {
>         database_name = /var/lib/krb5kdc/principal
>         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
>         acl_file = /etc/krb5kdc/kadm5.acl
>         key_stash_file = /etc/krb5kdc/stash
>         kdc_ports = 750,88
>         max_life = 10h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         master_key_type = des3-hmac-sha1
>         #supported_enctypes = aes256-cts:normal aes128-cts:normal
>         default_principal_flags = +preauth
>     }
> 
> Do I need all of that, or only some of it, or do I need to add something
> to it ?
> 
> I also take it that I need to provision again, but this time add
> '--kdc-config-dir=/etc/krb5kdc/kdc.conf'

Every distro has a different default locaction for the kdc.conf. I've added 
support for Fedora and openSUSE. So we might want do add more of them. Not 
sure if we really can but that's why there is --kdc-config-dir


However to get it working use:

samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/


That should create it at the correct location.



	Andreas

More information about the samba-technical mailing list