[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?
Alain Péan
alain.pean at lpp.polytechnique.fr
Wed Apr 13 12:36:00 UTC 2011
Le 13/04/2011 14:05, John Hodrien a écrit :
> On Wed, 13 Apr 2011, Alain Péan wrote:
>
>> I'll try know, with the change in /etc/krb5.conf (validate = false), if
>> it works now.
>
> It won't (or at least it shouldn't). Validate is essential as it
> confirms
> that the KDC providing the TGT to the user is the same KDC that you
> registered
> with when you joined the domain. If you don't have that check, I
> believe it's
> hideously insecure.
You are right. It fails...
>
> But the samba join is affected by many things. /etc/hosts,
> /etc/krb5.conf,
> /etc/samba/smb.conf are all well worth double checking for correctness.
>
> So you've still got problems that need sorting. If validate doesn't
> work,
> then there are keytab issues. The keytab only needs to contain a valid
> principal for the domain, it doesn't even need to be a credential for
> that
> machine. Normally it *would* be for that machine, since you'd
> generate it
> through a 'net ads join' with an appropriate smb.conf.
Here are the appropriate files, enough simple :
# cat /etc/samba/smb.conf
# Test domaine test-lpp
# Global Parameters
[global]
workgroup = TEST-LPP
netbios name = centos-test
server string = Samba Server %v
security = ads
realm = TEST-LPP.LOCAL
#use kerberos keytab = true
kerberos method = secrets and keytab
passdb backend = tdbsam
password server = *
encrypt passwords = true
client use spnego = no
load printers = yes
printing = cups
printcap name = cups
admin users = pean
# Partages
[homes]
comment = Home Directories
read only = no
browseable = no
(samba3x, 3.5.4). I added passdb backend = tdbsam following the original
smb.conf file, but I don't know if this is necessary. It was not there
previously.
# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
134.x1.y1.z1 centos-test.test-lpp.local centos-test
# Serveur de domaine test-lpp.local
134.x2.y2.z2 pc-2003-test.test-lpp.local pc-2003-test
134.x3.y3.z3 dc1-test.test-lpp.local dc1-test
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST-LPP.LOCAL
default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
TEST-LPP.LOCAL = {
kdc = pc-2003-test.test-lpp.local:88
kdc = dc1-test.test-lpp.local:88
#admin_server = pc-2003-test.test-lpp.local:749
default_domain = TEST-LPP.LOCAL
kpasswd_server = pc-2003-test.test-lpp.local
kdc = *
}
[domain_realm]
.test-lpp.local = TEST-LPP.LOCAL
test-lpp.local = TEST-LPP.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = false
}
If you see something wrong, let me know !
The resolv.conf file contains the name of the domain (search
test-lpp.local), and the addresses of the AD servers of this domain, and
only them... selinux and iptables are disabled....
Alain
--
==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================
More information about the CentOS
mailing list