[Samba] Question re kerberos . . .
Rowland Penny
rowlandpenny at googlemail.com
Fri Feb 13 15:37:00 MST 2015
On 13/02/15 22:20, Steve Ankeny wrote:
> I've used the Samba AD DC HOWTO
> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> to install Samba
> 4 as an Active Directory/Domain Controller.
>
> I've successfully configured the domain/realm and DNS (as far as I can
> tell) and worked my way through Testing Your Samba Domain Controller
> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_Your_Samba_Domain_Controller>
> and Testing DNS
> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS>
> segments without issue.
>
> I'm having problems starting Kerberos, specifically, 'krb5-kdc' and
> 'krb5-admin-server'
>
> It appears it cannot identify the realm/domain It appears Samba is
> not identifying itself.
>
> adam at sogo:~$ sudo service krb5-kdc start
> * Starting Kerberos KDC krb5kdc
> krb5kdc: Configuration file does not specify default realm, attempting
> to retrieve default realm
>
> adam at sogo:~$ sudo service krb5-admin-server start
> * Starting Kerberos administrative servers kadmind
> kadmind: Configuration file does not specify default realm while
> initializing, aborting
>
> I'm using Ubuntu 14.04 LTS I provisioned Samba as follows:
>
> samba-tool domain provision --domain=SMBDOMAIN \
> --dns-backend=SAMBA_INTERNAL --server-role=dc \
> --function-level=2008_R2 --use-xattr=yes \
> --use-rfc2307 --realm=smbdomain.com
>
> Here's my 'smb.conf'
>
> adam at sogo:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = SMBDOMAIN
> realm = smbdomain.com
> netbios name = SOGO
> server role = active directory domain controller
> dns forwarder = 192.168.121.1
> idmap_ldb:use rfc2307 = yes
> passdb backend = samba
> allow dns updates = nonsecure
>
> ### Configuration required by OpenChange server ###
> dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
> dcerpc_mapiproxy:server = true
> dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
> exchange_ds_rfr
> ### Configuration required by OpenChange server ###
>
> mapistore:namedproperties = mysql
> namedproperties:mysql_user = openchange-user
> namedproperties:mysql_pass = passwd
> namedproperties:mysql_host = localhost
> namedproperties:mysql_db = openchange
> mapistore:indexing_backend =
> mysql://openchange-user:passwd@localhost/openchange
> mapiproxy:openchangedb =
> mysql://openchange-user:passwd@localhost/openchange
>
> [netlogon]
> path = /var/lib/samba/sysvol/smbdomain.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Here's my 'kdc.conf'
>
> adam at sogo:~$ sudo cat /etc/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> SMBDOMAIN.COM = {
> database_name = /var/lib/krb5kdc/principal
> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/stash
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = aes256-cts:normal arcfour-hmac:normal
> des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
> des:onlyrealm des:afs3
> default_principal_flags = +preauth
> }
>
> That is exactly as 'kdc.conf' was configured when I installed
> 'krb5-kdc' & 'krb5-admin-server'
>
> I've configured '/etc/network/interfaces' as follows:
>
> adam at sogo:~$ cat /etc/network/interfaces
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 192.168.121.149
> netmask 255.255.255.0
> gateway 192.168.121.1
> network 192.168.121.0
> broadcast 192.168.121.255
> domain smbdomain.com
> dns-nameservers 127.0.0.1 192.168.121.1
>
>
> Any suggestions? Thanks so much.
>
Yep, 'apt-get purge krb5-kdc krb5-admin-server'
The kerberos server is built into the samba AD DC
Rowland
More information about the samba
mailing list