kerberos and openldap
Tim Judd
tajudd at gmail.com
Sun Feb 8 00:41:13 PST 2009
Alexey Beketov wrote:
> Hello, I'm trying to setup replace AD with samba, already have working samba+ldap. And stuck with kerberos.
> pkg_info:
> heimdal-1.0.1
> nss_ldap-1.264_1
> openldap-client-2.4.13
> openldap-server-2.4.13
>
>
> cat /etc/krb5.conf
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.LOCAL
>
> [realms]
> DOMAIN.LOCAL = { admin_server = SERVER.DOMAIN.LOCAL
> default_domain = SERVER.DOMAIN.LOCAL
> kdc = SERVER.DOMAIN.LOCAL
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
>
>
> [kdc]
> database = {
> dbname = ldap:ou=KerberosPrincipals,dc=domain,dc=local
> acl_file = /var/heimdal/kadmind.acl
> }
> addresses = 127.0.0.1 192.168.6.23
>
> cat /usr/local/etc/openldap/slapd.conf
> L: 1 C: 1 =====================================================================
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/openldap.schema
> include /usr/local/etc/openldap/schema/samba.schema
> include /usr/local/etc/openldap/schema/hdb.schema
>
>
> pidfile /var/run/openldap/slapd.pid
>
> argsfile /var/run/openldap/slapd.args
>
> modulepath /usr/local/libexec/openldap
>
>
>
>
> loglevel 256
>
> logfile /var/db/openldap-data/slapd.log
>
>
> moduleload back_bdb
>
> allow update_anon
>
> access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
> by self write
> by anonymous auth
> by * none
>
> access to *
> by self write
> by anonymous read
> by sockurl="^ldapi:///$" write
> by * none
> database bdb
>
> suffix "dc=domain,dc=local"
>
> rootdn "cn=admin,dc=domain,dc=local"
>
> rootpw {SSHA}somepasshehe
>
> directory /var/db/openldap-data
>
>
> index uid,uidNumber,gidNumber,memberUid eq
> index cn,mail,surname,givenname eq,subinitial
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index objectClass eq
> #index cn eq,sub,pres
> #index uid eq,sub,pres
> index displayName eq,sub,pres
> index krb5PrincipalName eq
>
> server# kadmin -l
> kadmin> init DOMAIN.LOCAL
> Realm max ticket life [unlimited]:
> Realm max renewable ticket life [unlimited]:
> kadmin> add admin
> Max ticket life [1 day]:
> Max renewable life [1 week]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> admin at DOMAIN.LOCAL's Password:
> Verifying - admin at DOMAIN.LOCAL's Password:
>
> ***************************erro here***********************
> admin at DOMAIN.LOCAL's Password:
> kinit: krb5_get_init_creds: Client (admin at DOMAIN.LOCAL) unknown
> ***********************************************************
>
> how to fix the error?
Have you read the FreeBSD handbook about kerberos?
Have you setup the SRV records in DNS for kerberos?
Those would be my first places to check. I'm not dedicating myself to
do an open-source AD replacement, but it is something on my list I want
to do soon. Your help and input would be appreciated, given my goal
soon too.
More information about the freebsd-questions
mailing list