[Samba] Question re kerberos . . .

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 13 15:53:23 MST 2015 

On 13/02/15 22:48, Steve Ankeny wrote:
> Thanks for the quick response!
>
> Do I still need the following packages?
>
> adam at sogo:~$ sudo dpkg --get-selections | grep krb5
> krb5-config                                            install
> krb5-user                                               install
> libgssapi-krb5-2:amd64                         install
> libkrb5-26-heimdal:amd64                    install
> libkrb5-3:amd64                                    install
> libkrb5support0:amd64                         install
>
> They were not listed in the "autoremove" message.
>
> On 02/13/2015 05:37 PM, Rowland Penny wrote:
>> On 13/02/15 22:20, Steve Ankeny wrote:
>>> I've used the Samba AD DC HOWTO 
>>> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO> to install 
>>> Samba 4 as an Active Directory/Domain Controller.
>>>
>>> I've successfully configured the domain/realm and DNS (as far as I 
>>> can tell) and worked my way through Testing Your Samba Domain 
>>> Controller 
>>> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_Your_Samba_Domain_Controller> 
>>> and Testing DNS 
>>> <https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS> 
>>> segments without issue.
>>>
>>> I'm having problems starting Kerberos, specifically, 'krb5-kdc' and 
>>> 'krb5-admin-server'
>>>
>>> It appears it cannot identify the realm/domain  It appears Samba is 
>>> not identifying itself.
>>>
>>> adam at sogo:~$ sudo service krb5-kdc start
>>>  * Starting Kerberos KDC krb5kdc
>>> krb5kdc: Configuration file does not specify default realm, 
>>> attempting to retrieve default realm
>>>
>>> adam at sogo:~$ sudo service krb5-admin-server start
>>>  * Starting Kerberos administrative servers kadmind
>>> kadmind: Configuration file does not specify default realm while 
>>> initializing, aborting
>>>
>>> I'm using Ubuntu 14.04 LTS  I provisioned Samba as follows:
>>>
>>> samba-tool domain provision --domain=SMBDOMAIN \
>>> --dns-backend=SAMBA_INTERNAL --server-role=dc \
>>> --function-level=2008_R2 --use-xattr=yes \
>>> --use-rfc2307 --realm=smbdomain.com
>>>
>>> Here's my 'smb.conf'
>>>
>>> adam at sogo:~$ cat /etc/samba/smb.conf
>>> # Global parameters
>>> [global]
>>>     workgroup = SMBDOMAIN
>>>     realm = smbdomain.com
>>>     netbios name = SOGO
>>>     server role = active directory domain controller
>>>     dns forwarder = 192.168.121.1
>>>     idmap_ldb:use rfc2307 = yes
>>>     passdb backend = samba
>>>     allow dns updates = nonsecure
>>>
>>>     ### Configuration required by OpenChange server ###
>>>     dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
>>>     dcerpc_mapiproxy:server = true
>>>     dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, 
>>> exchange_ds_rfr
>>>     ### Configuration required by OpenChange server ###
>>>
>>>     mapistore:namedproperties = mysql
>>>     namedproperties:mysql_user = openchange-user
>>>     namedproperties:mysql_pass = passwd
>>>     namedproperties:mysql_host = localhost
>>>     namedproperties:mysql_db = openchange
>>>     mapistore:indexing_backend = 
>>> mysql://openchange-user:passwd@localhost/openchange
>>>     mapiproxy:openchangedb = 
>>> mysql://openchange-user:passwd@localhost/openchange
>>>
>>> [netlogon]
>>>     path = /var/lib/samba/sysvol/smbdomain.com/scripts
>>>     read only = No
>>>
>>> [sysvol]
>>>     path = /var/lib/samba/sysvol
>>>     read only = No
>>>
>>> Here's my 'kdc.conf'
>>>
>>> adam at sogo:~$ sudo cat /etc/krb5kdc/kdc.conf
>>> [kdcdefaults]
>>>     kdc_ports = 750,88
>>>
>>> [realms]
>>>     SMBDOMAIN.COM = {
>>>         database_name = /var/lib/krb5kdc/principal
>>>         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
>>>         acl_file = /etc/krb5kdc/kadm5.acl
>>>         key_stash_file = /etc/krb5kdc/stash
>>>         kdc_ports = 750,88
>>>         max_life = 10h 0m 0s
>>>         max_renewable_life = 7d 0h 0m 0s
>>>         master_key_type = des3-hmac-sha1
>>>         supported_enctypes = aes256-cts:normal arcfour-hmac:normal 
>>> des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 
>>> des:norealm des:onlyrealm des:afs3
>>>         default_principal_flags = +preauth
>>>     }
>>>
>>> That is exactly as 'kdc.conf' was configured when I installed 
>>> 'krb5-kdc' & 'krb5-admin-server'
>>>
>>> I've configured '/etc/network/interfaces' as follows:
>>>
>>> adam at sogo:~$ cat /etc/network/interfaces
>>>
>>> # The loopback network interface
>>> auto lo
>>> iface lo inet loopback
>>>
>>> # The primary network interface
>>> auto eth0
>>> iface eth0 inet static
>>>     address 192.168.121.149
>>>     netmask 255.255.255.0
>>>     gateway 192.168.121.1
>>>     network 192.168.121.0
>>>     broadcast 192.168.121.255
>>>     domain smbdomain.com
>>>     dns-nameservers 127.0.0.1 192.168.121.1
>>>
>>>
>>> Any suggestions?  Thanks so much.
>>>
>>
>> Yep, 'apt-get purge krb5-kdc krb5-admin-server'
>>
>> The kerberos server is built into the samba AD DC
>>
>> Rowland
>

Yes, they are the client packages

Rowland

More information about the samba mailing list