Linux authenticating on AD via Kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello There!

I'm trying to configure a Red Hat AS 4 to authenticate via Kerberos on my
Windows 2003 Active Diretory
.
The solution is very simple, the users are going to be created on the Linux
machine (/etc/passwd) and only the password is goingt to be read from the
Active Directory
.
I have configured the AD and the Windows machines can logon normally into it
.
My Linux configuration is based on the kerberos configuration file
/etc/krb5.conf, that follows:

[administrator@linux ~]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
# clockskew = 300
default_realm = CACDOMAIN.BR.IBM.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
CACDOMAIN.BR.IBM.COM = {
 kdc = win2k3-vm.cacdomain.br.ibm.com:88
#  admin_server = kerberos.example.com:749
 default_domain = CACDOMAIN.BR.IBM.COM
}

[domain_realm]
.CACDOMAIN.BR.IBM.COM = CACDOMAIN.BR.IBM.COM
# example.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}


.
I'm using the command "#kinit username" to check if my configuration is
correct before changing the pam files to define that the linux is going to
search for the password at the Active Directory
.
I could check that the password is being read from the active directory,
because I have created an user at /etc/passwd named administrator (the same
username exists on the AD) and when I type a wrong password it returns an
error reporting that the password is wrong and if I try to use an user that
doesn't exists in the AD, it reports it too
.
The problem happens when I try to use the correct username/password that
really exists at the Active Directory, so I receive the
following error message:

[administrator@linux ~]$ kinit
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
kinit(v5): Clock skew too great while getting initial credentials


.
Reading some reports of the same error at the Internet, I could check that
it means that my AD Server clock has a different time
comparing to my linux kerberos client
.
I have checked the time on both machines and it's not so different (just
some seconds of difference):

- On Windows

C:\Documents and Settings\Administrator>time
The current time is: 14:53:22.29
Enter the new time

- On Linux

[administrator@linux ~]$ date
Wed Jul 12 14:53:53 BRT 2006

.
Do you have any idea about the problem that can cause this error message to
occur?

Best Regards,
Fabio Martins

--
Fábio Augusto Miranda Martins
E-mail: fabiomirmar@xxxxxxxxx
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list


[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux