Local KDC and Samba
Steve French
smfrench at gmail.com
Wed Jan 22 03:47:06 UTC 2025
Although install of the localkdc seemed to work, running setup on it failed:
root at localhost-live:/home/smfrench# dnf install localkdc
Updating and loading repositories:
Repositories loaded.
Package Arch Version Repository
Size
Installing:
localkdc x86_64 0.0.1-14.fc41
copr:copr.fedorainf 30.4 KiB
Installing dependencies:
certmonger x86_64 0.79.20-2.fc41 fedora
2.5 MiB
krb5-pkinit x86_64 1.21.3-121.fc41
copr:copr.fedorainf 121.2 KiB
krb5-server x86_64 1.21.3-121.fc41
copr:copr.fedorainf 784.6 KiB
libkadm5 x86_64 1.21.3-121.fc41
copr:copr.fedorainf 218.2 KiB
localkdc-selinux x86_64 0.0.1-14.fc41
copr:copr.fedorainf 10.1 KiB
Transaction Summary:
Installing: 6 packages
Total size of inbound packages is 1 MiB. Need to download 1 MiB.
After this operation, 4 MiB extra will be used (install 4 MiB, remove 0 B).
Is this ok [y/N]: y
[1/6] localkdc-0:0.0.1-14.fc41.x86_64 100% | 28.8 KiB/s |
18.2 KiB | 00m01s
[2/6] certmonger-0:0.79.20-2.fc41.x86_64 100% | 824.8 KiB/s |
602.1 KiB | 00m01s
[3/6] krb5-server-0:1.21.3-121.fc41.x86_64 100% | 376.8 KiB/s |
300.0 KiB | 00m01s
[4/6] krb5-pkinit-0:1.21.3-121.fc41.x86_64 100% | 319.9 KiB/s |
59.8 KiB | 00m00s
[5/6] libkadm5-0:1.21.3-121.fc41.x86_64 100% | 330.6 KiB/s |
77.7 KiB | 00m00s
[6/6] localkdc-selinux-0:0.0.1-14.fc41.x86_64 100% | 81.7 KiB/s |
19.9 KiB | 00m00s
----------------------------------------------------------------------------------------
[6/6] Total 100% | 678.3 KiB/s |
1.1 MiB | 00m02s
root at localhost-live:~# localkdc-setup
The parent of location "/var/kerberos/localkdc/kdc.crt" could not be
accessed due to insufficient permissions.
/usr/bin/local-getcert: Failed to create pkinit certificates
But it looks like it has sufficient permissions:
root at localhost-live:~# stat /var/kerberos/localkdc
File: /var/kerberos/localkdc
Size: 16 Blocks: 0 IO Block: 4096 directory
Device: 0,42 Inode: 367888 Links: 1
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:var_t:s0
Access: 2025-01-21 19:42:50.669926708 -0800
Modify: 2025-01-21 19:42:22.342659428 -0800
Change: 2025-01-21 19:42:22.342659428 -0800
Birth: 2025-01-21 19:41:03.323891871 -0800
Any ideas why this would fail?
On Mon, Jan 20, 2025 at 12:33 AM Andreas Schneider <asn at samba.org> wrote:
>
> On Monday, 20 January 2025 07:11:30 CET Alexander Bokovoy via samba-technical
> wrote:
> > On Няд, 19 сту 2025, Steve French wrote:
> > > Is there documentation (or example howto, walkthrough etc.) on how to
> > > setup the new Local KDC features of Samba server?
> > >
> > > I wanted to try some experiments with the Linux client to make sure
> > > the new type of krb5 mounts work fine. For the server I am using
> > > current Samba master branch on Ubuntu.
> >
> > There are bits and pieces which aren't merged yet in both MIT Kerberos
> > and Samba.
> >
> > Your best way of testing is by using COPR repository Andreas created for
> > Fedora as it includes prepared packages.
> >
> > See https://gitlab.com/cryptomilk/localkdc and
> > https://copr.fedorainfracloud.org/coprs/asn/localkdc/
> >
> > Andreas gave some insstructions in this comment:
> > https://github.com/SSSD/sssd/issues/7723#issuecomment-2597864370
>
> For using IAKerb you need smbd and smbclient built from:
>
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/asn-iakerb
>
>
> Edit the smb.conf and add:
>
> include /etc/samba/localkdc.conf
>
> at the end of the [global] section after you ran localkdc-setup!
>
> You can then connect to smbd using the mdns name of the machine
> (<hostname>.local).
>
> Example:
>
> smbclient //samba-iakerb.local//share -Uasn at SAMBA-IAKERB.LOCALKDC.SITE --use-
> kerberos=required
>
>
> Best regards
>
>
> Andreas
>
> --
> Andreas Schneider asn at samba.org
> Samba Team www.samba.org
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
>
--
Thanks,
Steve
More information about the samba-technical
mailing list