Local KDC and Samba
Alexander Bokovoy
ab at samba.org
Wed Jan 22 07:17:32 UTC 2025
On Аўт, 21 сту 2025, Steve French wrote:
> Although install of the localkdc seemed to work, running setup on it failed:
> root at localhost-live:/home/smfrench# dnf install localkdc
> Updating and loading repositories:
> Repositories loaded.
> Package Arch Version Repository
> Size
> Installing:
> localkdc x86_64 0.0.1-14.fc41
> copr:copr.fedorainf 30.4 KiB
> Installing dependencies:
> certmonger x86_64 0.79.20-2.fc41 fedora
> 2.5 MiB
> krb5-pkinit x86_64 1.21.3-121.fc41
> copr:copr.fedorainf 121.2 KiB
> krb5-server x86_64 1.21.3-121.fc41
> copr:copr.fedorainf 784.6 KiB
> libkadm5 x86_64 1.21.3-121.fc41
> copr:copr.fedorainf 218.2 KiB
> localkdc-selinux x86_64 0.0.1-14.fc41
> copr:copr.fedorainf 10.1 KiB
>
> Transaction Summary:
> Installing: 6 packages
>
> Total size of inbound packages is 1 MiB. Need to download 1 MiB.
> After this operation, 4 MiB extra will be used (install 4 MiB, remove 0 B).
> Is this ok [y/N]: y
> [1/6] localkdc-0:0.0.1-14.fc41.x86_64 100% | 28.8 KiB/s |
> 18.2 KiB | 00m01s
> [2/6] certmonger-0:0.79.20-2.fc41.x86_64 100% | 824.8 KiB/s |
> 602.1 KiB | 00m01s
> [3/6] krb5-server-0:1.21.3-121.fc41.x86_64 100% | 376.8 KiB/s |
> 300.0 KiB | 00m01s
> [4/6] krb5-pkinit-0:1.21.3-121.fc41.x86_64 100% | 319.9 KiB/s |
> 59.8 KiB | 00m00s
> [5/6] libkadm5-0:1.21.3-121.fc41.x86_64 100% | 330.6 KiB/s |
> 77.7 KiB | 00m00s
> [6/6] localkdc-selinux-0:0.0.1-14.fc41.x86_64 100% | 81.7 KiB/s |
> 19.9 KiB | 00m00s
> ----------------------------------------------------------------------------------------
> [6/6] Total 100% | 678.3 KiB/s |
> 1.1 MiB | 00m02s
>
>
> root at localhost-live:~# localkdc-setup
> The parent of location "/var/kerberos/localkdc/kdc.crt" could not be
> accessed due to insufficient permissions.
> /usr/bin/local-getcert: Failed to create pkinit certificates
>
> But it looks like it has sufficient permissions:
>
> root at localhost-live:~# stat /var/kerberos/localkdc
> File: /var/kerberos/localkdc
> Size: 16 Blocks: 0 IO Block: 4096 directory
> Device: 0,42 Inode: 367888 Links: 1
> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> Context: system_u:object_r:var_t:s0
> Access: 2025-01-21 19:42:50.669926708 -0800
> Modify: 2025-01-21 19:42:22.342659428 -0800
> Change: 2025-01-21 19:42:22.342659428 -0800
> Birth: 2025-01-21 19:41:03.323891871 -0800
>
> Any ideas why this would fail?
There is incomplete SELinux policy yet. Please run in permissive for
time being, we need to fix the policy.
>
> On Mon, Jan 20, 2025 at 12:33 AM Andreas Schneider <asn at samba.org> wrote:
> >
> > On Monday, 20 January 2025 07:11:30 CET Alexander Bokovoy via samba-technical
> > wrote:
> > > On Няд, 19 сту 2025, Steve French wrote:
> > > > Is there documentation (or example howto, walkthrough etc.) on how to
> > > > setup the new Local KDC features of Samba server?
> > > >
> > > > I wanted to try some experiments with the Linux client to make sure
> > > > the new type of krb5 mounts work fine. For the server I am using
> > > > current Samba master branch on Ubuntu.
> > >
> > > There are bits and pieces which aren't merged yet in both MIT Kerberos
> > > and Samba.
> > >
> > > Your best way of testing is by using COPR repository Andreas created for
> > > Fedora as it includes prepared packages.
> > >
> > > See https://gitlab.com/cryptomilk/localkdc and
> > > https://copr.fedorainfracloud.org/coprs/asn/localkdc/
> > >
> > > Andreas gave some insstructions in this comment:
> > > https://github.com/SSSD/sssd/issues/7723#issuecomment-2597864370
> >
> > For using IAKerb you need smbd and smbclient built from:
> >
> > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/asn-iakerb
> >
> >
> > Edit the smb.conf and add:
> >
> > include /etc/samba/localkdc.conf
> >
> > at the end of the [global] section after you ran localkdc-setup!
> >
> > You can then connect to smbd using the mdns name of the machine
> > (<hostname>.local).
> >
> > Example:
> >
> > smbclient //samba-iakerb.local//share -Uasn at SAMBA-IAKERB.LOCALKDC.SITE --use-
> > kerberos=required
> >
> >
> > Best regards
> >
> >
> > Andreas
> >
> > --
> > Andreas Schneider asn at samba.org
> > Samba Team www.samba.org
> > GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
> >
> >
>
>
> --
> Thanks,
>
> Steve
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list