Kerberos Help Needed

Rick Stevens rstevens at vitalstream.com
Tue Aug 23 17:36:37 UTC 2005


Greg Julius wrote:
> This is a reply to the last two emails from Rick.
> 
> I've been poking around and trying various combinations of things that
> Rick suggested.  I also have some questions from all of this.   Because
> this note is a reply to two notes, I've just decided to cut and paste
> as necessary, hopefully keeping the context for each item intact.
> 
> 
>>>>>OK,  Some general questions:
>>>>>My linux server is supposed to be running Kerberos and maintaining the
>>>>>KDC, correct?
>>>>
>>>>No, your PDC is the KDC.  The Linux machine is a kerberos client, not
>>>>a kerberos server or controller.
>>>>
>>>
>>>OK.  If my PDC (the Windows 2003 ADS system) is my KDC, then which
> 
> services
> 
>>>should be running on my Linux machine?
>>>Clearly I need winbind and samba running, do I need krb5kdc or kadmin as
>>>well??
>>
>>No, you don't. You only need winbind, smbd and nmbd running.  You
>>probably should have ntpd running and aimed at a time server that your
>>PDC watches, too.  If the date/time on the machines varies as little as
>>5 minutes, your clients will be booted out of the Windows domain by the
>>PDC.  Annoying, but true.
> 
> 
> The biggest thing was getting the location of the PDC straightened
> out.  Basically I've been barking up the wrong tree.
> 
> I changed up the services to only run the winbind and samba services.
> Both machines do ntp although they don't use the same clock (Linux is using
> the pool method).  Anyway, they are within 1 minute of each other.
> 
> 
>>>If I should be running krb5kdc and kadmin, then do I point the kdc
>>>paramerters to filesrv2.ocinternal.local (which is the Win ADS/PDC
> 
> machine)
> 
>>>and simply delete the kdc on the Linux Machine?
>>
>>You shouldn't have to do anything.  The krb5.conf file should aim all
>>Kerberos requests at your PDC.  You should also make sure the
>>resolv.conf file also looks at your PDC for DNS info (and, of course,
>>set up the PDC to do DNS).
> 
> 
> I changed the krb5.conf file to point the kdc and admin stuff to the PDC.
> The PDC is running the DNS.  Pings from the various machines resolve to the
> correct machines, with and without the domain name attached.
> resolv.conf references the DNS on the PDC.  No other DNS is running.
> Seems to be working fine.
> 
>>The only other tricky thing can be if you have multiple Linux servers
>>talking to the PDC.  It's possible for the winbind cache to get out of
>>sync between all of them and the ACLs won't work since the machines
>>don't have a consistent view of the user list.
>>
>>Oh, and since I'm on ACLs, are you using them?  If so, you may have a
>>rude awakening as RHEL doesn't have ACL support built into smbd by
>>default.  If you do "smbd -b", look at the output.  Verify that you
>>have "HAVE_SYS_ACL_H" in the "System Headers" section.  If you don't
>>see it, you don't have ACL support and you need to rebuild smbd from
>>the source RPM or tarball and specify "--with-acl-suppport" in the
>>"./configure" command.
> 
> 
> I'm only running one Linux server at this time, probably not ever going
> to run more than a couple for file services.  For now, I'm going to be
> thrilled to get just one working well.
> 
> I dodged the bullet on the ACLs.  My samba has the correct entry in 
> "System Headers".
> 
> 
>>>When I join the linux machine to the windows PDC, I issue "net join -U
>>>administrator".  Was I supposed to do a kinit on something first?
>>
>>First, you need to delete the Linux machine's machine account on the
>>PDC,  Next, do the kinit to get a new Kerberos ticket.  THEN you do the
>>"net join" to set up the login and passwords.
> 
> 
> I deleted the prior join attempt and did a 'kinit administrator'.
> The kinit failed however because of "KDC has no support for 
> encryption type while getting initial credentials".  So I removed
> the enctypes that were suggested in the first reply and tried again.
> That seemed to work just fine.
> 
> When I then did the 'net join' it seemed to work except that it 
> died a horrible death in glibc free() with an invalid
> pointer.  It looks like it added to the ads anyway.
> 
> In fact, when I try to view the guardian machine from the windows server,
> I get further than I have ever gotten in this configuration.  I can
> actually see the shares!  This is progress.
> 
> HOWEVER, when I trie to view a share, I get the following in the samba log
> area under the IP address of the windows ads server:
>     *** glibc detected *** smbd: free(): invalid pointer: 0x001bedb0 ***
>     ======= Backtrace: =========
>     /lib/libc.so.6[0x76d424]
>     /lib/libc.so.6(__libc_free+0x77)[0x76d95f]
>     /lib/libcom_err.so.2(remove_error_table+0x4b)[0x1e3abb]
>     /usr/lib/libkrb5.so.3[0x15c8c4]
>     /usr/lib/libkrb5.so.3[0x15c5c7]
>     /usr/lib/libkrb5.so.3[0x1ad9da]
>     /lib/ld-linux.so.2[0x5d0058]
>     /lib/libc.so.6(exit+0xc5)[0x734c69]
>     smbd(exit_server+0x25c)[0xad1ae6]
>     smbd(main+0x995)[0xad26a1]
>     /lib/libc.so.6(__libc_start_main+0xc6)[0x71ede6]
>     smbd[0x8d04f1]
>     ======= Memory map: ========
> 
> I snipped the Memory map area as it was pretty long.  It appears that
> smbd takes a dive during a free operation.  This looks exactly like 
> failure that I got at the end of the 'net join' command.
> 
> I did a 'yum update' hoping there was some fix out there that I
> hadn't yet picked up.  All installed well, but same problem.
> 
> The failure happens every time.
> 
> So, What next?  

I'd try to get the samba source code from samba.org and build it myself.
The updates from Red Hat or Fedora are necessarily behind the current
release.  My guess is that yours has a bug (trying to free an invalid
pointer is certainly and example of a coding bug).  We are using 3.0.14a
ourselves, built from the source tarballs at samba.org.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-    Admitting you have a problem is the first step toward getting   -
-    medicated for it.      -- Jim Evarts (http://www.TopFive.com)   -
----------------------------------------------------------------------




More information about the Redhat-install-list mailing list