Local KDC and Samba
Andreas Schneider
asn at samba.org
Thu Jan 23 08:11:45 UTC 2025
On Thursday, 23 January 2025 04:14:13 CET Steve French wrote:
> > There is incomplete SELinux policy yet. Please run in permissive for
> > time being, we need to fix the policy.
>
> Disabling selinux did help and fixed the localkdc-setup setup
>
> The last step of his instructions says to do kinit, but kinit is not
> installed in his image,
> or as a dependency of "dnf install localkdc" so I had to reboot the
> workstation and
> then do "dnf install krb5-workstation" (hopefully doesn't need a
> special version of kinit?!)
If you use the copr repo it is:
root at krikkit:~# rpm -q krb5-workstation
krb5-workstation-1.21.3-121.fc41.x86_64
root at krikkit:~# rpm -q krb5-server
krb5-server-1.21.3-121.fc41.x86_64
> After rebooting the localkdc was not available so couldn't do kinit. How do
> you restart it? What I tried is below:
>
> root at fedora:/home/smfrench# systemctl start localkdc
> Job for localkdc.service failed because the control process exited
> with error code.
> See "systemctl status localkdc.service" and "journalctl -xeu
> localkdc.service" for details.
> root at fedora:/home/smfrench# systemctl status localkdc.service
> × localkdc.service - Local Kerberos KDC
> Loaded: loaded (/usr/lib/systemd/system/localkdc.service; static)
> Drop-In: /usr/lib/systemd/system/service.d
> └─10-timeout-abort.conf, 50-keep-warm.conf
> Active: failed (Result: exit-code) since Wed 2025-01-22 19:09:26
> PST; 13s ago
> Invocation: 1996ca595fe74329882d55bc94779265
> TriggeredBy: ● localkdc.socket
> Process: 5066 ExecStart=/usr/sbin/krb5kdc -P /run/localkdc/kdc.pid
> -w 1 (code=exited, status=1/FAILURE)
> Mem peak: 9.3M
> CPU: 23ms
This should do it.
> Jan 22 19:09:26 fedora.local systemd[1]: Starting localkdc.service -
> Local Kerberos KDC...
> Jan 22 19:09:26 fedora.local krb5kdc[5066]: krb5kdc: cannot initialize
> realm FEDORA.LOCALKDC.SITE - see log file >
> Jan 22 19:09:26 fedora.local systemd[1]: localkdc.service: Control
> process exited, code=exited, status=1/FAILURE
> Jan 22 19:09:26 fedora.local systemd[1]: localkdc.service: Failed with
> result 'exit-code'.
> Jan 22 19:09:26 fedora.local systemd[1]: Failed to start
> localkdc.service - Local Kerberos KDC.
> root at fedora:/home/smfrench# exit
> exit
What is in the kdc log (/var/log/localkdc.log)?
>
> smfrench at fedora:~$ kinit asn at SAMBAKDC.LOCALKDC.SITE
> kinit: Cannot find KDC for realm "SAMBAKDC.LOCALKDC.SITE" while
> getting initial credentials
Well, your machine is named fedora, so your realm is: FEDORA.LOCALKDC.SITE!
You've created a user named asn with localkdc-kadmin? I guess you want a local
user sfrench and a then add a principal:
root at sambakdc:~# localkdc-kadmin
Authenticating as principal [root/admin at FEDORA.LOCALKDC.SITE](mailto:root/
admin at FEDORA.LOCALKDC.SITE) with password.
kadmin.local: add_principal sfrench
quit
systemctl restart localkdc.service
then you can do: kinit sfrench at FEDORA.LOCALKDC.SITE
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list