Local KDC and Samba

Andreas Schneider asn at samba.org
Thu Jan 23 08:11:45 UTC 2025


On Thursday, 23 January 2025 04:14:13 CET Steve French wrote:
> > There is incomplete SELinux policy yet. Please run in permissive for
> > time being, we need to fix the policy.
> 
> Disabling selinux did help and fixed the localkdc-setup setup
> 
> The last step of his instructions says to do kinit, but kinit is not
> installed in his image,
> or as a dependency of "dnf install localkdc" so I had to reboot the
> workstation and
> then do "dnf install krb5-workstation" (hopefully doesn't need a
> special version of kinit?!)

If you use the copr repo it is:

root at krikkit:~# rpm -q krb5-workstation
krb5-workstation-1.21.3-121.fc41.x86_64
root at krikkit:~# rpm -q krb5-server
krb5-server-1.21.3-121.fc41.x86_64

> After rebooting the localkdc was not available so couldn't do kinit.  How do
> you restart it?   What I tried is below:
> 
> root at fedora:/home/smfrench# systemctl start localkdc
> Job for localkdc.service failed because the control process exited
> with error code.
> See "systemctl status localkdc.service" and "journalctl -xeu
> localkdc.service" for details.
> root at fedora:/home/smfrench# systemctl status localkdc.service
> × localkdc.service - Local Kerberos KDC
>      Loaded: loaded (/usr/lib/systemd/system/localkdc.service; static)
>     Drop-In: /usr/lib/systemd/system/service.d
>              └─10-timeout-abort.conf, 50-keep-warm.conf
>      Active: failed (Result: exit-code) since Wed 2025-01-22 19:09:26
> PST; 13s ago
>  Invocation: 1996ca595fe74329882d55bc94779265
> TriggeredBy: ● localkdc.socket
>     Process: 5066 ExecStart=/usr/sbin/krb5kdc -P /run/localkdc/kdc.pid
> -w 1 (code=exited, status=1/FAILURE)
>    Mem peak: 9.3M
>         CPU: 23ms

This should do it.

> Jan 22 19:09:26 fedora.local systemd[1]: Starting localkdc.service -
> Local Kerberos KDC...
> Jan 22 19:09:26 fedora.local krb5kdc[5066]: krb5kdc: cannot initialize
> realm FEDORA.LOCALKDC.SITE - see log file >
> Jan 22 19:09:26 fedora.local systemd[1]: localkdc.service: Control
> process exited, code=exited, status=1/FAILURE
> Jan 22 19:09:26 fedora.local systemd[1]: localkdc.service: Failed with
> result 'exit-code'.
> Jan 22 19:09:26 fedora.local systemd[1]: Failed to start
> localkdc.service - Local Kerberos KDC.
> root at fedora:/home/smfrench# exit
> exit

What is in the kdc log (/var/log/localkdc.log)?
 
> 
> smfrench at fedora:~$ kinit asn at SAMBAKDC.LOCALKDC.SITE
> kinit: Cannot find KDC for realm "SAMBAKDC.LOCALKDC.SITE" while
> getting initial credentials

Well, your machine is named fedora, so your realm is: FEDORA.LOCALKDC.SITE!

You've created a user named asn with localkdc-kadmin? I guess you want a local 
user sfrench and a then add a principal:

root at sambakdc:~# localkdc-kadmin 
Authenticating as principal [root/admin at FEDORA.LOCALKDC.SITE](mailto:root/
admin at FEDORA.LOCALKDC.SITE) with password.
kadmin.local:  add_principal sfrench

quit

systemctl restart localkdc.service

then you can do: kinit sfrench at FEDORA.LOCALKDC.SITE
 


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D





More information about the samba-technical mailing list