[WHATSNEW] Samba AD with MIT Kerberos + Version change

Andreas Schneider asn at samba.org
Tue May 2 21:01:30 UTC 2017


On Tuesday, 2 May 2017 19:18:31 CEST Rowland Penny wrote:
> On Tue, 02 May 2017 18:33:26 +0200
> 
> Andreas Schneider <asn at samba.org> wrote:
> > On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:
> > > On Tue, 02 May 2017 18:01:01 +0200
> > > 
> > > Andreas Schneider <asn at samba.org> wrote:
> > > > The MIT library (kinit) needs to find the KDC. It does this via
> > > > DNS service lookup. Samba has its own DNS server so I think your
> > > > DNS server configured in /etc/resolv.confis not 127.0.0.1 so it
> > > > can't find the KDC.
> > > 
> > > I had the computers IP as the nameserver in resolv.conf, chenging
> > > it to 127.0.0.1 didn't help.
> > 
> > Then it should work if you create the kdc.conf correctly. See below.
> > 
> > > > The other option is that in /etc/krb5.conf you specify the kdc ip
> > > > address for the realm.
> > > 
> > > To save me time trying to find out how to do this, can you tell me
> > > how ?
> > > 
> > > > > Am I now supposed to start the MIT kdc ?
> > > > 
> > > > Nope.
> > > 
> > > OK, I will give up trying to ;-)
> > > 
> > > > I've provisioned the AD DC with samba-tool which
> > > > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> > > > system has a different kdc.conf. So you can create it at a special
> > > > location during provision and set it with the 'mit kdc config'
> > > > options.
> > > 
> > > I have '/etc/krb5kdc/kdc.conf' , which contains:
> > > 
> > > [kdcdefaults]
> > > 
> > >     kdc_ports = 750,88
> > > 
> > > [realms]
> > > 
> > >     TEST.TLD = {
> > >     
> > >         database_name = /var/lib/krb5kdc/principal
> > >         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> > >         acl_file = /etc/krb5kdc/kadm5.acl
> > >         key_stash_file = /etc/krb5kdc/stash
> > >         kdc_ports = 750,88
> > >         max_life = 10h 0m 0s
> > >         max_renewable_life = 7d 0h 0m 0s
> > >         master_key_type = des3-hmac-sha1
> > >         #supported_enctypes = aes256-cts:normal aes128-cts:normal
> > >         default_principal_flags = +preauth
> > >     
> > >     }
> > > 
> > > Do I need all of that, or only some of it, or do I need to add
> > > something to it ?
> > > 
> > > I also take it that I need to provision again, but this time add
> > > '--kdc-config-dir=/etc/krb5kdc/kdc.conf'
> > 
> > Every distro has a different default locaction for the kdc.conf. I've
> > added support for Fedora and openSUSE. So we might want do add more
> > of them. Not sure if we really can but that's why there is
> > --kdc-config-dir
> > 
> > 
> > However to get it working use:
> > 
> > samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/
> > 
> > 
> > That should create it at the correct location.
> 
> Sorry but it didn't work, kinit still cannot find the kdc.
> 
> I am provisioning with:
> 
> samba-tool domain provision --use-rfc2307 --realm=TEST.TLD
> --domain=TEST --server-role=dc --kdc-config-dir=/etc/krb5kdc/
> --adminpass=xxxxxxxxxx
> 
> You seem to be saying that the 'kdc.conf' should be created by the
> provision, this isn't happening for me. I have moved the original one
> out of the way and tried again, I didn't get the 'kdc.conf' created.
> 
> What do expect the 'kdc.conf' to contain ?
> 
> Rowland

The samba-tool should print where it creates the kdc.conf file. Did you check 
the log message from samba-tool?





More information about the samba-technical mailing list