[Samba] Kerberos issues
Сергій Дегтярь
degtyar.s at mkip.gov.ua
Thu Jun 27 07:52:35 UTC 2024
Dear Mr.Rowland,
Thank you for you answer.
2024-06-26 15:41, Rowland Penny via samba написав:
> On Wed, 26 Jun 2024 14:00:03 +0300
> Сергій Дегтярь via samba <samba at lists.samba.org> wrote:
>> After kinit administrator failed due to an error, I tried
>> editing /etc/krb5kdc/kdc.conf but this cant help.
>
> Thing is, you shouldn't have /etc/krb5kdc/kdc.conf on a Samba AD DC.
> Have you installed the krb5-kdc package, if so remove it immediately,
> if not sooner.
It works and I'm very happy to report that this solved my problem!
I added DC2's (BDC) IP address to the krb5.conf file on DC2,
removed the krb5-kdc package, and restarted the Samba-ad-dc service.
After this, access to shared resources was restored and the application
also started working.
No new Kerberos LSA issues have appeared
>> So what needs to be done to remove errors and prevent machines from
>> being disconnected from the domain?
>> Since I am planning to demote and remove DC1 due to security issues,
>> what should I do to move the KDC to DC2?
>> I found manual how set up a secondary KDC:
>> https://ubuntu.com/server/docs/how-to-set-up-a-secondary-kdc
>> Is this manual suitable for use with samba?
>
> Absolutely not, Kerberos is built into a Samba AD DC and you shouldn't
> run a separate kdc, unless you have specifically built Samba to use MIT
> kerberos instead of Heimdal, in which case you are running an
> experimental DC that you shouldn't use in production.
>
> Rowland
Thanks a lot for explaining how samba use Kerberos.
--
Sincerely, Sergiy Degtyar
More information about the samba
mailing list