Kerberos Help Needed

Rick Stevens rstevens at vitalstream.com
Tue Aug 23 00:55:03 UTC 2005 

Greg Julius wrote:
> Hi Rick, Thank you. 
> 
> <Massive Snip>
> 
>>>OK,  Some general questions:
>>>My linux server is supposed to be running Kerberos and maintaining the
> 
> KDC,
> 
>>>correct?
>>
>>No, your PDC is the KDC.  The Linux machine is a kerberos client, not
>>a kerberos server or controller.
>>
> 
> OK.  If my PDC (the Windows 2003 ADS system) is my KDC, then which services
> should be running on my Linux machine?
> Clearly I need winbind and samba running, do I need krb5kdc or kadmin as
> well??

No, you don't. You only need winbind, smbd and nmbd running.  You
probably should have ntpd running and aimed at a time server that your
PDC watches, too.  If the date/time on the machines varies as little as
5 minutes, your clients will be booted out of the Windows domain by the
PDC.  Annoying, but true.

> If I should be running krb5kdc and kadmin, then do I point the kdc
> paramerters to filesrv2.ocinternal.local (which is the Win ADS/PDC machine)
> and simply delete the kdc on the Linux Machine?

You shouldn't have to do anything.  The krb5.conf file should aim all
Kerberos requests at your PDC.  You should also make sure the
resolv.conf file also looks at your PDC for DNS info (and, of course,
set up the PDC to do DNS).

The only other tricky thing can be if you have multiple Linux servers
talking to the PDC.  It's possible for the winbind cache to get out of
sync between all of them and the ACLs won't work since the machines
don't have a consistent view of the user list.

Oh, and since I'm on ACLs, are you using them?  If so, you may have a
rude awakening as RHEL doesn't have ACL support built into smbd by
default.  If you do "smbd -b", look at the output.  Verify that you
have "HAVE_SYS_ACL_H" in the "System Headers" section.  If you don't
see it, you don't have ACL support and you need to rebuild smbd from
the source RPM or tarball and specify "--with-acl-suppport" in the
"./configure" command.

> Thanks again for your responses.

I hope this helps sort it out.  It ain't easy!
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
- Treat each day as if it's your last...a lot of crying and whining  -
-      usually gets you what you want!              -- Sam Sledge    -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list