[Samba] Question re kerberos . . .

Steve Ankeny steve_a at cinergymetro.net
Fri Feb 13 15:20:29 MST 2015

I've used the Samba AD DC HOWTO 
<https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> to install Samba 4 
as an Active Directory/Domain Controller.

I've successfully configured the domain/realm and DNS (as far as I can 
tell) and worked my way through Testing Your Samba Domain Controller 
and Testing DNS 
segments without issue.

I'm having problems starting Kerberos, specifically, 'krb5-kdc' and 

It appears it cannot identify the realm/domain  It appears Samba is not 
identifying itself.

adam at sogo:~$ sudo service krb5-kdc start
  * Starting Kerberos KDC krb5kdc
krb5kdc: Configuration file does not specify default realm, attempting 
to retrieve default realm

adam at sogo:~$ sudo service krb5-admin-server start
  * Starting Kerberos administrative servers kadmind
kadmind: Configuration file does not specify default realm while 
initializing, aborting

I'm using Ubuntu 14.04 LTS  I provisioned Samba as follows:

samba-tool domain provision --domain=SMBDOMAIN \
--dns-backend=SAMBA_INTERNAL --server-role=dc \
--function-level=2008_R2 --use-xattr=yes \
--use-rfc2307 --realm=smbdomain.com

Here's my 'smb.conf'

adam at sogo:~$ cat /etc/samba/smb.conf
# Global parameters
     workgroup = SMBDOMAIN
     realm = smbdomain.com
     netbios name = SOGO
     server role = active directory domain controller
     dns forwarder =
     idmap_ldb:use rfc2307 = yes
     passdb backend = samba
     allow dns updates = nonsecure

     ### Configuration required by OpenChange server ###
     dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
     dcerpc_mapiproxy:server = true
     dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, 
     ### Configuration required by OpenChange server ###

     mapistore:namedproperties = mysql
     namedproperties:mysql_user = openchange-user
     namedproperties:mysql_pass = passwd
     namedproperties:mysql_host = localhost
     namedproperties:mysql_db = openchange
     mapistore:indexing_backend = 
     mapiproxy:openchangedb = 

     path = /var/lib/samba/sysvol/smbdomain.com/scripts
     read only = No

     path = /var/lib/samba/sysvol
     read only = No

Here's my 'kdc.conf'

adam at sogo:~$ sudo cat /etc/krb5kdc/kdc.conf
     kdc_ports = 750,88

         database_name = /var/lib/krb5kdc/principal
         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file = /etc/krb5kdc/kadm5.acl
         key_stash_file = /etc/krb5kdc/stash
         kdc_ports = 750,88
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
         supported_enctypes = aes256-cts:normal arcfour-hmac:normal 
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm 
des:onlyrealm des:afs3
         default_principal_flags = +preauth

That is exactly as 'kdc.conf' was configured when I installed 'krb5-kdc' 
& 'krb5-admin-server'

I've configured '/etc/network/interfaces' as follows:

adam at sogo:~$ cat /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
     domain smbdomain.com

Any suggestions?  Thanks so much.

More information about the samba mailing list