Kerberos Help Needed

Greg Julius fromRHIL at outtacyte.com
Tue Aug 23 06:53:37 UTC 2005 

This is a reply to the last two emails from Rick.

I've been poking around and trying various combinations of things that
Rick suggested.  I also have some questions from all of this.   Because
this note is a reply to two notes, I've just decided to cut and paste
as necessary, hopefully keeping the context for each item intact.

>>>>OK,  Some general questions:
>>>>My linux server is supposed to be running Kerberos and maintaining the
>>>>KDC, correct?
>>>
>>>No, your PDC is the KDC.  The Linux machine is a kerberos client, not
>>>a kerberos server or controller.
>>>
>> 
>> OK.  If my PDC (the Windows 2003 ADS system) is my KDC, then which
services
>> should be running on my Linux machine?
>> Clearly I need winbind and samba running, do I need krb5kdc or kadmin as
>> well??
>
>No, you don't. You only need winbind, smbd and nmbd running.  You
>probably should have ntpd running and aimed at a time server that your
>PDC watches, too.  If the date/time on the machines varies as little as
>5 minutes, your clients will be booted out of the Windows domain by the
>PDC.  Annoying, but true.

The biggest thing was getting the location of the PDC straightened
out.  Basically I've been barking up the wrong tree.

I changed up the services to only run the winbind and samba services.
Both machines do ntp although they don't use the same clock (Linux is using
the pool method).  Anyway, they are within 1 minute of each other.

>> If I should be running krb5kdc and kadmin, then do I point the kdc
>> paramerters to filesrv2.ocinternal.local (which is the Win ADS/PDC
machine)
>> and simply delete the kdc on the Linux Machine?
>
>You shouldn't have to do anything.  The krb5.conf file should aim all
>Kerberos requests at your PDC.  You should also make sure the
>resolv.conf file also looks at your PDC for DNS info (and, of course,
>set up the PDC to do DNS).

I changed the krb5.conf file to point the kdc and admin stuff to the PDC.
The PDC is running the DNS.  Pings from the various machines resolve to the
correct machines, with and without the domain name attached.
resolv.conf references the DNS on the PDC.  No other DNS is running.
Seems to be working fine.
>
>The only other tricky thing can be if you have multiple Linux servers
>talking to the PDC.  It's possible for the winbind cache to get out of
>sync between all of them and the ACLs won't work since the machines
>don't have a consistent view of the user list.
>
>Oh, and since I'm on ACLs, are you using them?  If so, you may have a
>rude awakening as RHEL doesn't have ACL support built into smbd by
>default.  If you do "smbd -b", look at the output.  Verify that you
>have "HAVE_SYS_ACL_H" in the "System Headers" section.  If you don't
>see it, you don't have ACL support and you need to rebuild smbd from
>the source RPM or tarball and specify "--with-acl-suppport" in the
>"./configure" command.

I'm only running one Linux server at this time, probably not ever going
to run more than a couple for file services.  For now, I'm going to be
thrilled to get just one working well.

I dodged the bullet on the ACLs.  My samba has the correct entry in 
"System Headers".

>> When I join the linux machine to the windows PDC, I issue "net join -U
>> administrator".  Was I supposed to do a kinit on something first?
>
>First, you need to delete the Linux machine's machine account on the
>PDC,  Next, do the kinit to get a new Kerberos ticket.  THEN you do the
>"net join" to set up the login and passwords.

I deleted the prior join attempt and did a 'kinit administrator'.
The kinit failed however because of "KDC has no support for 
encryption type while getting initial credentials".  So I removed
the enctypes that were suggested in the first reply and tried again.
That seemed to work just fine.

When I then did the 'net join' it seemed to work except that it 
died a horrible death in glibc free() with an invalid
pointer.  It looks like it added to the ads anyway.

In fact, when I try to view the guardian machine from the windows server,
I get further than I have ever gotten in this configuration.  I can
actually see the shares!  This is progress.

HOWEVER, when I trie to view a share, I get the following in the samba log
area under the IP address of the windows ads server:
    *** glibc detected *** smbd: free(): invalid pointer: 0x001bedb0 ***
    ======= Backtrace: =========
    /lib/libc.so.6[0x76d424]
    /lib/libc.so.6(__libc_free+0x77)[0x76d95f]
    /lib/libcom_err.so.2(remove_error_table+0x4b)[0x1e3abb]
    /usr/lib/libkrb5.so.3[0x15c8c4]
    /usr/lib/libkrb5.so.3[0x15c5c7]
    /usr/lib/libkrb5.so.3[0x1ad9da]
    /lib/ld-linux.so.2[0x5d0058]
    /lib/libc.so.6(exit+0xc5)[0x734c69]
    smbd(exit_server+0x25c)[0xad1ae6]
    smbd(main+0x995)[0xad26a1]
    /lib/libc.so.6(__libc_start_main+0xc6)[0x71ede6]
    smbd[0x8d04f1]
    ======= Memory map: ========

I snipped the Memory map area as it was pretty long.  It appears that
smbd takes a dive during a free operation.  This looks exactly like 
failure that I got at the end of the 'net join' command.

I did a 'yum update' hoping there was some fix out there that I
hadn't yet picked up.  All installed well, but same problem.

The failure happens every time.

So, What next?

More information about the Redhat-install-list mailing list