Alexey Beketov wrote:
Hello, I'm trying to setup replace AD with samba, already have working
samba+ldap. And stuck with kerberos.
pkg_info:
heimdal-1.0.1
nss_ldap-1.264_1
openldap-client-2.4.13
openldap-server-2.4.13
cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = { admin_server = SERVER.DOMAIN.LOCAL
default_domain = SERVER.DOMAIN.LOCAL
kdc = SERVER.DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
[kdc]
database = {
dbname = ldap:ou=KerberosPrincipals,dc=domain,dc=local
acl_file = /var/heimdal/kadmind.acl
}
addresses = 127.0.0.1 192.168.6.23
cat /usr/local/etc/openldap/slapd.conf
L: 1 C: 1 =====================================================================
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/hdb.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
loglevel 256
logfile /var/db/openldap-data/slapd.log
moduleload back_bdb
allow update_anon
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by self write
by anonymous read
by sockurl="^ldapi:///$" write
by * none
database bdb
suffix "dc=domain,dc=local"
rootdn "cn=admin,dc=domain,dc=local"
rootpw {SSHA}somepasshehe
directory /var/db/openldap-data
index uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq
#index cn eq,sub,pres
#index uid eq,sub,pres
index displayName eq,sub,pres
index krb5PrincipalName eq
server# kadmin -l
kadmin> init DOMAIN.LOCAL
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
ad...@domain.local's Password:
Verifying - ad...@domain.local's Password:
***************************erro here***********************
ad...@domain.local's Password:
kinit: krb5_get_init_creds: Client (ad...@domain.local) unknown
***********************************************************
how to fix the error?
Have you read the FreeBSD handbook about kerberos?
Have you setup the SRV records in DNS for kerberos?
Those would be my first places to check. I'm not dedicating myself to
do an open-source AD replacement, but it is something on my list I want
to do soon. Your help and input would be appreciated, given my goal
soon too.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
