Local KDC and Samba

Steve French smfrench at gmail.com
Thu Jan 23 03:14:13 UTC 2025 

On Wed, Jan 22, 2025 at 1:18 AM Alexander Bokovoy <ab at samba.org> wrote:
>
> On Аўт, 21 сту 2025, Steve French wrote:
> > Although install of the localkdc seemed to work, running setup on it failed:
> > root at localhost-live:/home/smfrench# dnf install localkdc
> > Updating and loading repositories:
> > Repositories loaded.
> > Package                   Arch   Version                   Repository
> >              Size
> > Installing:
> >  localkdc                 x86_64 0.0.1-14.fc41
> > copr:copr.fedorainf  30.4 KiB
> > Installing dependencies:
> >  certmonger               x86_64 0.79.20-2.fc41            fedora
> >           2.5 MiB
> >  krb5-pkinit              x86_64 1.21.3-121.fc41
> > copr:copr.fedorainf 121.2 KiB
> >  krb5-server              x86_64 1.21.3-121.fc41
> > copr:copr.fedorainf 784.6 KiB
> >  libkadm5                 x86_64 1.21.3-121.fc41
> > copr:copr.fedorainf 218.2 KiB
> >  localkdc-selinux         x86_64 0.0.1-14.fc41
> > copr:copr.fedorainf  10.1 KiB
> >
> > Transaction Summary:
> >  Installing:         6 packages
> >
> > Total size of inbound packages is 1 MiB. Need to download 1 MiB.
> > After this operation, 4 MiB extra will be used (install 4 MiB, remove 0 B).
> > Is this ok [y/N]: y
> > [1/6] localkdc-0:0.0.1-14.fc41.x86_64           100% |  28.8 KiB/s |
> > 18.2 KiB |  00m01s
> > [2/6] certmonger-0:0.79.20-2.fc41.x86_64        100% | 824.8 KiB/s |
> > 602.1 KiB |  00m01s
> > [3/6] krb5-server-0:1.21.3-121.fc41.x86_64      100% | 376.8 KiB/s |
> > 300.0 KiB |  00m01s
> > [4/6] krb5-pkinit-0:1.21.3-121.fc41.x86_64      100% | 319.9 KiB/s |
> > 59.8 KiB |  00m00s
> > [5/6] libkadm5-0:1.21.3-121.fc41.x86_64         100% | 330.6 KiB/s |
> > 77.7 KiB |  00m00s
> > [6/6] localkdc-selinux-0:0.0.1-14.fc41.x86_64   100% |  81.7 KiB/s |
> > 19.9 KiB |  00m00s
> > ----------------------------------------------------------------------------------------
> > [6/6] Total                                     100% | 678.3 KiB/s |
> > 1.1 MiB |  00m02s
> >
> >
> > root at localhost-live:~# localkdc-setup
> > The parent of location "/var/kerberos/localkdc/kdc.crt" could not be
> > accessed due to insufficient permissions.
> > /usr/bin/local-getcert: Failed to create pkinit certificates
> >
> > But it looks like it has sufficient permissions:
> >
> > root at localhost-live:~# stat /var/kerberos/localkdc
> >   File: /var/kerberos/localkdc
> >   Size: 16            Blocks: 0          IO Block: 4096   directory
> > Device: 0,42    Inode: 367888      Links: 1
> > Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> > Context: system_u:object_r:var_t:s0
> > Access: 2025-01-21 19:42:50.669926708 -0800
> > Modify: 2025-01-21 19:42:22.342659428 -0800
> > Change: 2025-01-21 19:42:22.342659428 -0800
> >  Birth: 2025-01-21 19:41:03.323891871 -0800
> >
> > Any ideas why this would fail?
>
> There is incomplete SELinux policy yet. Please run in permissive for
> time being, we need to fix the policy.

Disabling selinux did help and fixed the localkdc-setup setup

The last step of his instructions says to do kinit, but kinit is not
installed in his image,
or as a dependency of "dnf install localkdc" so I had to reboot the
workstation and
then do "dnf install krb5-workstation" (hopefully doesn't need a
special version of kinit?!)

After rebooting the localkdc was not available so couldn't do kinit.  How do you
restart it?   What I tried is below:

root at fedora:/home/smfrench# systemctl start localkdc
Job for localkdc.service failed because the control process exited
with error code.
See "systemctl status localkdc.service" and "journalctl -xeu
localkdc.service" for details.
root at fedora:/home/smfrench# systemctl status localkdc.service
× localkdc.service - Local Kerberos KDC
     Loaded: loaded (/usr/lib/systemd/system/localkdc.service; static)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf, 50-keep-warm.conf
     Active: failed (Result: exit-code) since Wed 2025-01-22 19:09:26
PST; 13s ago
 Invocation: 1996ca595fe74329882d55bc94779265
TriggeredBy: ● localkdc.socket
    Process: 5066 ExecStart=/usr/sbin/krb5kdc -P /run/localkdc/kdc.pid
-w 1 (code=exited, status=1/FAILURE)
   Mem peak: 9.3M
        CPU: 23ms

Jan 22 19:09:26 fedora.local systemd[1]: Starting localkdc.service -
Local Kerberos KDC...
Jan 22 19:09:26 fedora.local krb5kdc[5066]: krb5kdc: cannot initialize
realm FEDORA.LOCALKDC.SITE - see log file >
Jan 22 19:09:26 fedora.local systemd[1]: localkdc.service: Control
process exited, code=exited, status=1/FAILURE
Jan 22 19:09:26 fedora.local systemd[1]: localkdc.service: Failed with
result 'exit-code'.
Jan 22 19:09:26 fedora.local systemd[1]: Failed to start
localkdc.service - Local Kerberos KDC.
root at fedora:/home/smfrench# exit
exit


smfrench at fedora:~$ kinit asn at SAMBAKDC.LOCALKDC.SITE
kinit: Cannot find KDC for realm "SAMBAKDC.LOCALKDC.SITE" while
getting initial credentials


Ideas how to restart the local KDC?

--
Thanks,

Steve

More information about the samba-technical mailing list