Re: Kerberos/LDAP authentication no more working in 5.6 ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 13 Apr 2011, Alain Péan wrote:

Hi John,

There are only two realms I mentionned, LAB-LPP.LOCAL, and
TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed,
pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is
also pc-2003-test.test-lpp.local.

'kinit <username>' works,
[root@centos-test etc]# kinit pean
Password for pean@xxxxxxxxxxxxxx:
[root@centos-test etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pean@xxxxxxxxxxxxxx

Valid starting     Expires            Service principal
04/13/11 11:41:09  04/13/11 18:21:09  krbtgt/TEST-LPP.LOCAL@xxxxxxxxxxxxxx


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

But nevertheless, it is asking for password when I issue the 'net ads
join -U pean' command...

As you understood, my KDC server is a windows 2003 R2 Active directory
server. I don't understand where it is looking for the credentials. I
tried to create the krb5.keytab with ktpass on the windows server, and
replace the one on the centos-test, but it does not work either. There
is something, perhaps obvious, I miss. I also tried with 'validate =
true' in /etc/krb5.conf, but with no success.

Have you tried with validate = false?

I'd expect that to work, but it's not what you want to be doing long term.

I found also that there is a 'krb5.conf.TEST-LPP' file in
/var/lib/samba/smb_krb5, and this one is certainly used by samba (I
replaced old version with samba3x, 3.5.4, and put 'kerberos method =
secrets and keytab', instead of 'use kerberos keytab = true' that I used
previously.

Does that config file conflict in any way with the system krb5.conf?

I don't know if you have, or anyone else, an idea ?

Ah, I'm using samba-common-3.0.33 for the join not samba3x, so there's
possibly some subtle differences.

The join is reliant on /etc/samba/smb.conf (and presumably that
krb5.conf.TEST-LPP) though, so you'd need to double check that's all correct.

jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux