Kerberos Help Needed
Rick Stevens
rstevens at vitalstream.com
Mon Aug 22 18:15:13 UTC 2005
Greg Julius wrote:
> Hi Y'all. Greg from Texas calling.
>
> I desperately need some help with getting my systems talking together. I
> have googled, read, and read some more.
> I appologize in advance for a long email.
> I tried to include everything that may be pertinent.
>
> Abstract:
> I can't seem to get kerberos configured correctly so that a windows user can
> access the samba shares.
>
> My Setup:
> Windows Small Business Server 2003 ADS which is my domain PDC, and numerous
> Windows workstations.
> Linux Server, Fedora Core 4 (brand new install), which is to be a file
> server and an internal web development server (Apache, PHP, MySQL)
>
> I have recently needed to upgrade from a peer-peer network to a Windows SBS
> ADS/PDC. When I did, my linux server left the fray and I haven't been able
> to get it to talk to windows despite working on it for some time. I am now
> at the point where I MUST GET IT WORKING (unhappy clients including an
> unhappy me).
>
> It is my understanding that in order for the Linux server to talk with the
> Windows ADS that Kerberos must be working, but I am having mucho trouble
> with this. I think my biggest problem is a lack of the total picture and I
> could use somebody who is familiar with kerberos and Windows ADS (and
> winbind and samba) interactions.
>
> I called Bob McClure this morning looking for help and he reminded me that
> Rick Stevens monitors this list and was probably my best bet for something
> of this nature. So here I am....
>
> Progress to date (or lack of):
> Windows SBS 2003 ADS/PDC installed. This is Filesvr2 by name, x.x.x.6 by
> IP. Samba shares no longer work.
> Dns and Dhcp are running on the PDC and names resolve correctly all over the
> network. ocinternal.local is the domain name. Addresses resolve with and
> without the domain name suffixed.
> Fedora Core 4 installed - no problems to speak of
> Linux host name is guardian and is at x.x.x.8. I can ping this address by
> name and IP, both from the machine itself and from elsewhere on the network.
> Basic connectivity is achieved
> Selinux is disabled unitl I get other things working correctly to remove
> those potential issues.
> Apache Started and talks to browsers on the network. Virtual name servers
> work and present data correctly.
> Kerberos 'configured' and starts (kadmin and krb5kdc). Krb524 not run as I
> don't have any v.4 stuff at all or ever.
> I created the kdc. Realm name is OCINTERNAL.LOCAL, kdc name is
> guardian.ocinternal.local
> Samba starts
> Winbind starts.
> As root I can do a kinit, can see the results with klist, and remove them
> with kdestroy.
>
> Now for raw data. I have tried to keep the config files pretty vanilla.
> I have put comments below each config file or log file and at the end of the
> file.
> Here is the kdc.conf contents:
>
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> OCINTERNAL.LOCAL = {
> master_key_type = des-cbc-crc
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
> des-cbc-crc:afs3
> }
>
>
> I'm not too sure on the master_key_type as the information available is
> unclear and conflicting. What does Windows ADS use and is it supported on
> this side of the divide? If not, then what should I use and how do I tell
> windows to use it as well?
>
>
>
> Here is krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = OCINTERNAL.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> OCINTERNAL.LOCAL = {
> kdc = guardian.ocinternal.local:88
> admin_server = guardian.ocinternal.local:749
> }
>
> [domain_realm]
> .ocinternal.local = OCINTERNAL.LOCAL
> ocinternal.local = OCINTERNAL.LOCAL
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
Note that I'm no expert on this, but I have set up a rather nasty
network like this (14 Linux servers in the domain). I can't give you
all of our configs, but I'll help out with what I can.
You should probably add something along the lines of:
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
to your [libdefaults] in /etc/krb5.conf
Also, unless your domain is resolvable by normal DNS (and judging from
your domain name, it probably isn't), then you need to set up your PDC
to do name resolution, put entries in for the domain AND the PDC and set
"dns_lookup_realm" and "dns_lookup_kdc" to "false". You should also
modify your /etc/resolv.conf to look at the PDC for DNS queries (at
least make it the first entry).
> I have tried this file with the dns settings set both ways.
> And finally, the smb.conf file (some clipped for brevity):
>
> # Samba config file created using SWAT
> # from 127.0.0.1 (127.0.0.1)
> # Date: 2005/08/08 22:08:31
>
> # Global parameters
> [global]
> workgroup = OCINTERNAL
> realm = OCINTERNAL.LOCAL
> server string = Samba Server
> security = ADS
> password server = Filesrv2.ocinternal.local
> log file = /var/log/samba/%m.log
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = /etc/printcap
> dns proxy = No
> ldap ssl = no
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/bash
> cups options = raw
>
>
> Note that the password server here is set to Filesrv2. This name is that of
> my PDC.
You may need to add stuff like this to smb.conf:
# Use the default Windows domain
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind uid = 400001-60000
winbind gid = 400001-60000
<snip>
> OK, Some general questions:
> My linux server is supposed to be running Kerberos and maintaining the KDC,
> correct?
No, your PDC is the KDC. The Linux machine is a kerberos client, not
a kerberos server or controller.
> My password server, as far as winbind and samba are concerned, is the
> ADC/PDC machine, correct?
Yes.
> When I join the linux machine to the windows PDC, I issue "net join -U
> administrator". Was I supposed to do a kinit on something first?
First, you need to delete the Linux machine's machine account on the
PDC, Next, do the kinit to get a new Kerberos ticket. THEN you do the
"net join" to set up the login and passwords.
> What principals are needed and why and what roles do they need to have?
You need to set up the login that your services will be running as.
> When I join the command, I get the following conflicting messages:
> ads_connect: Server not found in Kerberos database
> Joined domain OCINTERNAL.
> The server then shows up in the ADS. So I guess I sucessfully joined the
> domain. What is the ads_connect: message about?
> "wbinfo -D OCINTERNAL" shows that winbind seems to know about the domain, it
> knows that it is an ADS.
Since OCINTERNAL.LOCAL isn't a DNS domain nor a DNS hostname, the
resolution won't work. This is why you need to set up the PDC to do
DNS resolution and must make it your primary DNS server in the
/etc/resolv.conf file.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- ...Had this been an actual emergency, we would have fled in terror -
- and you'd be on your own, pal! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list