kerberos and openldap
Alexey Beketov
opt1k2 at mail.ru
Sat Feb 7 18:19:02 PST 2009
Hello, I'm trying to setup replace AD with samba, already have working samba+ldap. And stuck with kerberos.
pkg_info:
heimdal-1.0.1
nss_ldap-1.264_1
openldap-client-2.4.13
openldap-server-2.4.13
cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = { admin_server = SERVER.DOMAIN.LOCAL
default_domain = SERVER.DOMAIN.LOCAL
kdc = SERVER.DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
[kdc]
database = {
dbname = ldap:ou=KerberosPrincipals,dc=domain,dc=local
acl_file = /var/heimdal/kadmind.acl
}
addresses = 127.0.0.1 192.168.6.23
cat /usr/local/etc/openldap/slapd.conf
L: 1 C: 1 =====================================================================
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/hdb.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
loglevel 256
logfile /var/db/openldap-data/slapd.log
moduleload back_bdb
allow update_anon
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by self write
by anonymous read
by sockurl="^ldapi:///$" write
by * none
database bdb
suffix "dc=domain,dc=local"
rootdn "cn=admin,dc=domain,dc=local"
rootpw {SSHA}somepasshehe
directory /var/db/openldap-data
index uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq
#index cn eq,sub,pres
#index uid eq,sub,pres
index displayName eq,sub,pres
index krb5PrincipalName eq
server# kadmin -l
kadmin> init DOMAIN.LOCAL
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
admin at DOMAIN.LOCAL's Password:
Verifying - admin at DOMAIN.LOCAL's Password:
***************************erro here***********************
admin at DOMAIN.LOCAL's Password:
kinit: krb5_get_init_creds: Client (admin at DOMAIN.LOCAL) unknown
***********************************************************
how to fix the error?
More information about the freebsd-questions
mailing list