[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?
Alain Péan
alain.pean at lpp.polytechnique.fr
Wed Apr 13 09:54:52 UTC 2011
Le 13/04/2011 11:35, John Hodrien a écrit :
> On Tue, 12 Apr 2011, Alain Péan wrote:
>
>> Le 12/04/2011 22:03, John Hodrien a écrit :
>>> On Tue, 12 Apr 2011, Alain Péan wrote:
>>>
>>>> Indeed, nothing fails now. I want my users to authenticate against
>>>> Active directory, and it works, and I would like them to be able to
>>>> use
>>>> their kerberos credentials, if they need, to access domain ressources,
>>>> as shares. But I have still to see a problem there..
>>>>
>>>> Thanks again for your help and your comments !
>>>
>>> So is it all working after taking out the ldap auth? With it in
>>> you'll not be
>>> generating kerberos tickets if there's anything wrong with your
>>> kerberos
>>> setup.
>>>
>>> jh
>>
>> No, you are right, things do not work as I expect. When I disable
>> ldapauth, I cannot authenticate. So kerberos is not working.
>> I have kerberos error messages with samba when I try to join AD domain
>> with net ads join. But net rpc join succeeds.
>> # net ads join -U pean -d3
>> ....
>> [2011/04/12 22:19:45.797972, 3] libads/sasl.c:790(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got server principal name =
>> pc-2003-test$@TEST-LPP.LOCAL
>> [2011/04/12 22:19:45.798331, 3] libsmb/clikrb5.c:698(ads_krb5_mk_req)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
>> found)
>> [2011/04/12 22:19:45.811493, 1] libsmb/clikrb5.c:710(ads_krb5_mk_req)
>> ads_krb5_mk_req: smb_krb5_get_credentials failed for
>> pc-2003-test$@TEST-LPP.LOCAL (Cannot find ticket for requested realm)
>> ....
>>
>> Why 'no credential cache found' ?
>> I would like to solve this annoying problem. Why it is no more working
>> after upgrading to 5.6 ?
>
> I'm afraid you've cooked my brain with all the realms you've
> mentioned, so I'm
> not entirely clear what's going on.
>
> It's complaining about your kdc.
>
> Is pc-2003-test the KDC for the TEST-LPP.LOCAL realm, or is it KDC for
> the
> LAB-LPP.LOCAL realm? Is its FQDN pc-2003-test.test-lpp.local?
>
> Without worrying about the join, does 'kinit <username>' work?
>
> jh
Hi John,
There are only two realms I mentionned, LAB-LPP.LOCAL, and
TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed,
pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is
also pc-2003-test.test-lpp.local.
'kinit <username>' works,
[root at centos-test etc]# kinit pean
Password for pean at TEST-LPP.LOCAL:
[root at centos-test etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pean at TEST-LPP.LOCAL
Valid starting Expires Service principal
04/13/11 11:41:09 04/13/11 18:21:09 krbtgt/TEST-LPP.LOCAL at TEST-LPP.LOCAL
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
But nevertheless, it is asking for password when I issue the 'net ads
join -U pean' command...
As you understood, my KDC server is a windows 2003 R2 Active directory
server. I don't understand where it is looking for the credentials. I
tried to create the krb5.keytab with ktpass on the windows server, and
replace the one on the centos-test, but it does not work either. There
is something, perhaps obvious, I miss. I also tried with 'validate =
true' in /etc/krb5.conf, but with no success.
I found also that there is a 'krb5.conf.TEST-LPP' file in
/var/lib/samba/smb_krb5, and this one is certainly used by samba (I
replaced old version with samba3x, 3.5.4, and put 'kerberos method =
secrets and keytab', instead of 'use kerberos keytab = true' that I used
previously.
I don't know if you have, or anyone else, an idea ?
Alain
--
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================
More information about the CentOS
mailing list