Re: [lopsa-tech] Using Active Directory as a Kerberos server questions

Thu, 13 Nov 2008 01:31:26 -0800 

Am Mittwoch, den 12.11.2008, 21:19 +0100 schrieb John Jasen:

> net ads join -U $adminaccount
> net ads keytab create -U $adminaccount
>
> kinit host/$fqdn
> kinit(v5): Client not found in Kerberos database while getting credentials
>
> kinit host/$hostname
> kinit(v5): Client not found in Kerberos database while getting credentials
>
> Are you using the stock samba that comes with RHEL4 and RHEL5?
>
> What version of windows is your DC?
>

Hm that looks like you use it wrong, thats how we do it:

# Join domain
net ads join -U [EMAIL PROTECTED]
# Log in as admin
kinit [EMAIL PROTECTED]

#after that you have a ticket granting ticket:
[EMAIL PROTECTED] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
11/13/08 10:19:51  11/13/08 20:19:56  krbtgt/[EMAIL PROTECTED]
        renew until 11/14/08 10:19:51


For apache we did:
# if you did kinit before skip this one
[EMAIL PROTECTED] ~] kinit [EMAIL PROTECTED]
# get a service keytab entry and register service principal on DC
[EMAIL PROTECTED] ~]# net ads keytab add HTTP

after that you have a service keytab entry:
[EMAIL PROTECTED] ~]# klist -k
[...]
   6 HTTP/[EMAIL PROTECTED]
   6 HTTP/[EMAIL PROTECTED]
   6 HTTP/[EMAIL PROTECTED]
[...]



So kinit is used for [EMAIL PROTECTED] not service/[EMAIL PROTECTED] This works
on C4 and C5. mod_auth_krb has some minor problems though (AuthGroupFile
files not working, in C4 password logins require "KrbVerifyKDC off"
http://bugs.centos.org/view.php?id=2453)




financial.com AG

Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | 
Germany
Frankfurt branch office/Niederlassung Frankfurt: Messeturm | 
Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany
Management board/Vorstand: Dr. Steffen Boehnert (CEO/Vorsitzender) | Dr. Alexis 
Eisenhofer | Dr. Yann Samson | Matthias Wiederwach
Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender)
Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID 
number/St.Nr.: DE205 370 553

_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to