I would also check your timezones (and daylight savings on the Windows
side). Also if you have access to a reliable NTP server, you should
really hook up the RedHat and your kdc box to it. It's a good idea to
have synced time for all sorts of other reasons, but especially for
avoiding Kerberos clockskew thresholds. I am not sure what the default
clockskew is, but you could play with it in the libdefaults section of
the file if you need.
--
--
George B. Magklaras
Senior Computer Systems Engineer/UNIX Systems Administrator
The Biotechnology Centre of Oslo,
University of Oslo
http://www.biotek.uio.no/
EMBnet Norway: http://www.biotek.uio.no/EMBNET/
Fábio Augusto wrote:
Hello There!
I'm trying to configure a Red Hat AS 4 to authenticate via Kerberos on my
Windows 2003 Active Diretory
.
The solution is very simple, the users are going to be created on the Linux
machine (/etc/passwd) and only the password is goingt to be read from the
Active Directory
.
I have configured the AD and the Windows machines can logon normally
into it
.
My Linux configuration is based on the kerberos configuration file
/etc/krb5.conf, that follows:
[administrator@linux ~]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
# clockskew = 300
default_realm = CACDOMAIN.BR.IBM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
CACDOMAIN.BR.IBM.COM = {
kdc = win2k3-vm.cacdomain.br.ibm.com:88
# admin_server = kerberos.example.com:749
default_domain = CACDOMAIN.BR.IBM.COM
}
[domain_realm]
.CACDOMAIN.BR.IBM.COM = CACDOMAIN.BR.IBM.COM
# example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
.
I'm using the command "#kinit username" to check if my configuration is
correct before changing the pam files to define that the linux is going to
search for the password at the Active Directory
.
I could check that the password is being read from the active directory,
because I have created an user at /etc/passwd named administrator (the same
username exists on the AD) and when I type a wrong password it returns an
error reporting that the password is wrong and if I try to use an user that
doesn't exists in the AD, it reports it too
.
The problem happens when I try to use the correct username/password that
really exists at the Active Directory, so I receive the
following error message:
[administrator@linux ~]$ kinit
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
kinit(v5): Clock skew too great while getting initial credentials
.
Reading some reports of the same error at the Internet, I could check that
it means that my AD Server clock has a different time
comparing to my linux kerberos client
.
I have checked the time on both machines and it's not so different (just
some seconds of difference):
- On Windows
C:\Documents and Settings\Administrator>time
The current time is: 14:53:22.29
Enter the new time
- On Linux
[administrator@linux ~]$ date
Wed Jul 12 14:53:53 BRT 2006
.
Do you have any idea about the problem that can cause this error message to
occur?
Best Regards,
Fabio Martins
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
