[Samba] How to configure krb5 for multiple domains or domain and its sub-domains
Mauricio Tavares
raubvogel at gmail.com
Tue Aug 23 14:47:23 MDT 2011
On Tue, Aug 23, 2011 at 3:17 PM, Le, Anh <anh.le at cognex.com> wrote:
> Hi Mauricio,
>
> First of all, thank you for the reply. Secondly, those subdomains are child domains of pc.example.com in windows dns. And here is my current krb5.conf file. user at pc.example.com is connecting fine. But not the user at europe.pc.example.com or user at asia.pc.example.com. These users will be prompted for the username and password. By the way we use kerberos with winbind.
>
> [libdefaults]
> default_realm = PC.EXAMPLE.COM
> dns_lookup_kdc = true
> verify_ap_req_nofail = false
> clockskew = 300
>
> [realms]
> PC.EXAMPLE.COM = {
> kdc = server1.pc.example.com
> admin_server = server1.pc. example.com
> default_domain = pc. example.com
> }
>
> [domain_realm]
> .kerberos.server = PC. EXAMPLE.COM
> pc. example.com = PC. EXAMPLE.COM
> .pc. example.com = PC. EXAMPLE.COM
.europe.pc.example.com = PC. EXAMPLE.COM
.asia.pc.example.com = PC. EXAMPLE.COM
see if this helps
>
>
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/log/kdc.log
> kdc_rotate = {
>
> # How often to rotate kdc.log. Logs will get rotated no more
> # often than the period, and less often if the KDC is not used
> # frequently.
>
> period = 1d
>
> # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
>
> versions = 10
> }
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
> gkadmin = {
> help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
> }
> Thanks a lot,
>
> Anh.
>
>
>
> -----Original Message-----
> From: Mauricio Tavares [mailto:raubvogel at gmail.com]
> Sent: Tuesday, August 23, 2011 12:50 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] How to configure krb5 for multiple domains or domain and its sub-domains
>
> On Aug 23, 2011 11:13 AM, "Le, Anh" <anh.le at cognex.com> wrote:
>>
>> Hi All,
>>
>> I've configured my samba server (3.5.11) working and joined to my
>> domain
> pc.example.com. Every user of pc.example.com is able to view the shared folders and files of my samba server without any problem.
>>
>> However, the users of my sub-domains Europe.pc.example.com and
> Asia.pc.example.com could not connect and view the shared folders of my samba server. They were prompted for the passwords and it does not accept their passwords when the users entered. I guess it has this problem because my current krb5 is only setup for my main domain pc.example.com.
>>
>> I don't know the syntax for the multiple domains or domain and its
> sub-domains of krb5.conf file. It will be very appreciated if anyone can help me.
>>
> Are those subdomains as in dns subdomains or samba workgroups/domains?
> Are they all supposed to be in the same kerberos realm?
>
>> Thanks a lot,
>>
>> Anh.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list