version 5, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
JamesSpooner |
1 |
This page decribes how to install Kerberos on a Linux box to talk to an Windows 2000 or 2003 ActiveDirectory Server. |
| |
|
2 |
|
| |
|
3 |
! Required Software (Debian) |
| |
|
4 |
* libkrb5 |
| |
|
5 |
* krb5-user |
| |
|
6 |
* krb5-config |
| |
|
7 |
|
| |
|
8 |
! Configuring Kerberos |
| |
|
9 |
|
| |
|
10 |
This one was tricky and took a bit of fidgeting to get right, but here goes. As you will be able to see, we may need to create directories for the log files. Also note that the sections which are in uppercase __have__ to be in uppercase or the thing won't work. |
| |
|
11 |
|
| 3 |
JawnJim |
12 |
Use the following config file (in debian, redhat and suse at least). Be sure to use the same capitalisation. Also, if you are receiving the "UnknownHostException: some.host" you can use the IP address instead of the domain name for the kdc. |
| 1 |
JamesSpooner |
13 |
|
| 5 |
PerryLorier |
14 |
/etc/krb5.conf: |
| |
|
15 |
<verbatim> |
| |
|
16 |
[logging] |
| |
|
17 |
default = FILE:/var/log/krb5/libs.log |
| |
|
18 |
kdc = FILE:/var/log/krb5/kdc.log |
| |
|
19 |
admin_server = FILE:/var/log/krb5/admin.log |
| 1 |
JamesSpooner |
20 |
|
| 5 |
PerryLorier |
21 |
[libdefaults] |
| |
|
22 |
ticket_lifetime = 24000 |
| |
|
23 |
default_realm = THINCLIENT.TEST.ORG |
| |
|
24 |
default_tgs_enctypes = des-cbc-crc des-cbc-md5 |
| |
|
25 |
default_tkt_enctypes = des-cbc-crc des-cbc-md5 |
| |
|
26 |
forwardable = true |
| |
|
27 |
proxiable = true |
| |
|
28 |
dns_lookup_realm = true |
| |
|
29 |
dns_lookup_kdc = true |
| 1 |
JamesSpooner |
30 |
|
| 5 |
PerryLorier |
31 |
[realms] |
| |
|
32 |
THINCLIENT.TEST.ORG = { |
| |
|
33 |
kdc = test1.thinclient.test.org:88 |
| |
|
34 |
default_domain = thinclient.test.org |
| |
|
35 |
} |
| 1 |
JamesSpooner |
36 |
|
| 5 |
PerryLorier |
37 |
[domain_realm] |
| |
|
38 |
.thinclient.test.org = THINCLIENT.TEST.ORG |
| |
|
39 |
thinclient.test.org = THINCLIENT.TEST.ORG |
| 1 |
JamesSpooner |
40 |
|
| 5 |
PerryLorier |
41 |
[kdc] |
| |
|
42 |
profile = /var/kerberos/krb5kdc/kdc.conf |
| 1 |
JamesSpooner |
43 |
|
| 5 |
PerryLorier |
44 |
[pam] |
| |
|
45 |
debug = false |
| |
|
46 |
ticket_lifetime = 36000 |
| |
|
47 |
renew_lifetime = 36000 |
| |
|
48 |
forwardable = true |
| |
|
49 |
krb4_convert = false |
| |
|
50 |
</verbatim> |
| 1 |
JamesSpooner |
51 |
|
| 5 |
PerryLorier |
52 |
The second part of setting up the kerberos section is to make sure that kerberos is defined in our services file (<tt>/etc/services</tt>). It should contain a line along the following. |
| 1 |
JamesSpooner |
53 |
|
| 5 |
PerryLorier |
54 |
<verbatim> |
| 1 |
JamesSpooner |
55 |
kerberos 88/tcp kdc kerberos5 krb5 # Kerberos v5 |
| |
|
56 |
kerberos 88/udp kdc kerberos5 krb5 # Kerberos v5 |
| 5 |
PerryLorier |
57 |
</verbatim> |
| 1 |
JamesSpooner |
58 |
|
| |
|
59 |
! Testing the kerberos configuration |
| |
|
60 |
|
| |
|
61 |
You can use kinit to test your kerberos setup by issuing a ticket from the KDC. |
| |
|
62 |
|
| 5 |
PerryLorier |
63 |
<verbatim> |
| 1 |
JamesSpooner |
64 |
kinit Administrator@THINCLIENT.TEST.ORG |
| 5 |
PerryLorier |
65 |
</verbatim> |
| 1 |
JamesSpooner |
66 |
|
| |
|
67 |
This will prompt you for a password and return success if it succeeds. |
| 3 |
JawnJim |
68 |
If you get an error "KDC has no support for encryption type", you need to re-set the password for that windows user, typically Administrator (as in this example), just reset your password using Active Directory Users and Computers to your original password. |
| 4 |
MattCurtis |
69 |
|
| |
|
70 |
! Problems with Windows clients (IP address vs. name) |
| |
|
71 |
|
| |
|
72 |
We had a problem with Windows (XP SP2) clients not being able to access the Samba server by name, only by IP address. |
| |
|
73 |
|
| |
|
74 |
The Windows client worked if the dotted decimal IP address was used: |
| |
|
75 |
|
| 5 |
PerryLorier |
76 |
<verbatim> |
| |
|
77 |
C:\>net view \\192.168.10.4 |
| |
|
78 |
Shared resources at \\192.168.10.4 |
| |
|
79 |
</verbatim> |
| |
|
80 |
... ''good response elided'' ... |
| 4 |
MattCurtis |
81 |
|
| |
|
82 |
but not if the name was used: |
| |
|
83 |
|
| 5 |
PerryLorier |
84 |
<verbatim> |
| 4 |
MattCurtis |
85 |
C:\>net view \\spongebob |
| |
|
86 |
System error 5 has occurred. |
| |
|
87 |
Access is denied. |
| 5 |
PerryLorier |
88 |
</verbatim> |
| 4 |
MattCurtis |
89 |
|
| |
|
90 |
The Samba log had this error: |
| |
|
91 |
|
| 5 |
PerryLorier |
92 |
<verbatim> |
| |
|
93 |
[2005/05/31 11:56:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) |
| |
|
94 |
Failed to verify incoming ticket! |
| |
|
95 |
</verbatim> |
| 4 |
MattCurtis |
96 |
|
| |
|
97 |
The solution was to remove (comment out just in case!) the following 3 lines from krb5.conf: |
| |
|
98 |
|
| 5 |
PerryLorier |
99 |
<verbatim> |
| |
|
100 |
[libdefaults] |
| |
|
101 |
#default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 |
| |
|
102 |
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 |
| |
|
103 |
#permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 |
| |
|
104 |
</verbatim> |
| 4 |
MattCurtis |
105 |
|
| 5 |
PerryLorier |
106 |
I found the solution after much searching [here | http://lists.backports.org/pipermail/backports/2004-October/001216.html] ("with newer krb5 libs you don't need ''these'' lines"). |
| 4 |
MattCurtis |
107 |
|
| |
|
108 |
|
| 2 |
CraigBox |
109 |
----- |
| |
|
110 |
CategoryInteroperability |
