[WHATSNEW] Samba AD with MIT Kerberos + Version change

Tue May 2 21:39:06 UTC 2017

The output says to look here /usr/local/samba/private/krb5.conf from the
locations you are looking It looks like you might have missed that.

On Tue, May 2, 2017 at 3:20 PM, Rowland Penny via samba-technical <
samba-technical at lists.samba.org> wrote:

> On Tue, 02 May 2017 23:01:30 +0200
> Andreas Schneider <asn at samba.org> wrote:
>
> > On Tuesday, 2 May 2017 19:18:31 CEST Rowland Penny wrote:
> > > On Tue, 02 May 2017 18:33:26 +0200
> > >
> > > Andreas Schneider <asn at samba.org> wrote:
> > > > On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:
> > > > > On Tue, 02 May 2017 18:01:01 +0200
> > > > >
> > > > > Andreas Schneider <asn at samba.org> wrote:
> > > > > > The MIT library (kinit) needs to find the KDC. It does this
> > > > > > via DNS service lookup. Samba has its own DNS server so I
> > > > > > think your DNS server configured in /etc/resolv.confis not
> > > > > > 127.0.0.1 so it can't find the KDC.
> > > > >
> > > > > I had the computers IP as the nameserver in resolv.conf,
> > > > > chenging it to 127.0.0.1 didn't help.
> > > >
> > > > Then it should work if you create the kdc.conf correctly. See
> > > > below.
> > > >
> > > > > > The other option is that in /etc/krb5.conf you specify the
> > > > > > kdc ip address for the realm.
> > > > >
> > > > > To save me time trying to find out how to do this, can you tell
> > > > > me how ?
> > > > >
> > > > > > > Am I now supposed to start the MIT kdc ?
> > > > > >
> > > > > > Nope.
> > > > >
> > > > > OK, I will give up trying to ;-)
> > > > >
> > > > > > I've provisioned the AD DC with samba-tool which
> > > > > > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like
> > > > > > your system has a different kdc.conf. So you can create it at
> > > > > > a special location during provision and set it with the 'mit
> > > > > > kdc config' options.
> > > > >
> > > > > I have '/etc/krb5kdc/kdc.conf' , which contains:
> > > > >
> > > > > [kdcdefaults]
> > > > >
> > > > >     kdc_ports = 750,88
> > > > >
> > > > > [realms]
> > > > >
> > > > >     TEST.TLD = {
> > > > >
> > > > >         database_name = /var/lib/krb5kdc/principal
> > > > >         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> > > > >         acl_file = /etc/krb5kdc/kadm5.acl
> > > > >         key_stash_file = /etc/krb5kdc/stash
> > > > >         kdc_ports = 750,88
> > > > >         max_life = 10h 0m 0s
> > > > >         max_renewable_life = 7d 0h 0m 0s
> > > > >         master_key_type = des3-hmac-sha1
> > > > >         #supported_enctypes = aes256-cts:normal
> > > > > aes128-cts:normal default_principal_flags = +preauth
> > > > >
> > > > >     }
> > > > >
> > > > > Do I need all of that, or only some of it, or do I need to add
> > > > > something to it ?
> > > > >
> > > > > I also take it that I need to provision again, but this time add
> > > > > '--kdc-config-dir=/etc/krb5kdc/kdc.conf'
> > > >
> > > > Every distro has a different default locaction for the kdc.conf.
> > > > I've added support for Fedora and openSUSE. So we might want do
> > > > add more of them. Not sure if we really can but that's why there
> > > > is --kdc-config-dir
> > > >
> > > >
> > > > However to get it working use:
> > > >
> > > > samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/
> > > >
> > > >
> > > > That should create it at the correct location.
> > >
> > > Sorry but it didn't work, kinit still cannot find the kdc.
> > >
> > > I am provisioning with:
> > >
> > > samba-tool domain provision --use-rfc2307 --realm=TEST.TLD
> > > --domain=TEST --server-role=dc --kdc-config-dir=/etc/krb5kdc/
> > > --adminpass=xxxxxxxxxx
> > >
> > > You seem to be saying that the 'kdc.conf' should be created by the
> > > provision, this isn't happening for me. I have moved the original
> > > one out of the way and tried again, I didn't get the 'kdc.conf'
> > > created.
> > >
> > > What do expect the 'kdc.conf' to contain ?
> > >
> > > Rowland
> >
> > The samba-tool should print where it creates the kdc.conf file. Did
> > you check the log message from samba-tool?
> >
> >
>
> Do you mean this output ?
>
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=test,DC=tld
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=test,DC=tld
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba AD has been generated at
> /usr/local/samba/private/krb5.conf
> Setting up fake yp server settings
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role:           active directory domain controller
> Hostname:              devtestdc
> NetBIOS Domain:        TEST
> DNS Domain:            test.tld
> DOMAIN SID:            S-1-5-21-3649761056-4226039593-3544047505
>
> If I check for 'kdc.conf' :
>
> locate kdc.conf
> /etc/krb5kdc/kdc.conf
> /usr/share/doc/krb5-kdc/examples/kdc.conf
> /usr/share/krb5-kdc/kdc.conf.template
> /usr/share/man/man5/kdc.conf.5.gz
> /var/lib/dpkg/info/krb5-kdc.conffiles
> /var/lib/dpkg/info/krb5-kdc.config
>
> The first one is the one created when the krb5 packages are installed,
> it is not created by the provision.
>
> I have checked and there is nothing listening on port 88.
>
> I am going to try again tomorrow with a fresh install.
>
> Rowland
>
>
>