[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Alain Péan alain.pean at lpp.polytechnique.fr
Wed Apr 13 12:36:00 UTC 2011


Le 13/04/2011 14:05, John Hodrien a écrit :
> On Wed, 13 Apr 2011, Alain Péan wrote:
>
>> I'll try know, with the change in /etc/krb5.conf (validate = false), if
>> it works now.
>
> It won't (or at least it shouldn't).  Validate is essential as it 
> confirms
> that the KDC providing the TGT to the user is the same KDC that you 
> registered
> with when you joined the domain.  If you don't have that check, I 
> believe it's
> hideously insecure.

You are right. It fails...

>
> But the samba join is affected by many things.  /etc/hosts, 
> /etc/krb5.conf,
> /etc/samba/smb.conf are all well worth double checking for correctness.
>
> So you've still got problems that need sorting.  If validate doesn't 
> work,
> then there are keytab issues.  The keytab only needs to contain a valid
> principal for the domain, it doesn't even need to be a credential for 
> that
> machine.  Normally it *would* be for that machine, since you'd 
> generate it
> through a 'net ads join' with an appropriate smb.conf.

Here are the appropriate files, enough simple :
# cat /etc/samba/smb.conf
# Test domaine test-lpp

# Global Parameters
[global]
   workgroup = TEST-LPP
   netbios name = centos-test
   server string = Samba Server %v
   security = ads
   realm = TEST-LPP.LOCAL
   #use kerberos keytab = true
   kerberos method = secrets and keytab
   passdb backend = tdbsam
   password server = *
   encrypt passwords = true
   client use spnego = no
   load printers = yes
   printing = cups
   printcap name = cups
   admin users = pean

# Partages
[homes]
   comment = Home Directories
   read only = no
   browseable = no

(samba3x, 3.5.4). I added passdb backend = tdbsam following the original 
smb.conf file, but I don't know if this is necessary. It was not there 
previously.

# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
134.x1.y1.z1  centos-test.test-lpp.local      centos-test

# Serveur de domaine test-lpp.local
134.x2.y2.z2  pc-2003-test.test-lpp.local    pc-2003-test
134.x3.y3.z3  dc1-test.test-lpp.local            dc1-test

# cat /etc/krb5.conf
[logging]
     default = FILE:/var/log/krb5lib.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

[libdefaults]
     ticket_lifetime = 24000
     default_realm = TEST-LPP.LOCAL
     default_tk_enctypes = des3-hmac-sha1 des-cbc-crc
     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
     dns_lookup_realm = true
     dns_lookup_kdc = true

[realms]
     TEST-LPP.LOCAL = {
         kdc = pc-2003-test.test-lpp.local:88
         kdc = dc1-test.test-lpp.local:88
         #admin_server = pc-2003-test.test-lpp.local:749
         default_domain = TEST-LPP.LOCAL
         kpasswd_server = pc-2003-test.test-lpp.local
         kdc = *
     }

[domain_realm]
     .test-lpp.local = TEST-LPP.LOCAL
     test-lpp.local = TEST-LPP.LOCAL

[kdc]
     profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    validate = false
  }

If you see something wrong, let me know !
The resolv.conf file contains the name of the domain (search 
test-lpp.local), and the addresses of the AD servers of this domain, and 
only them... selinux and iptables are disabled....

Alain

-- 

==========================================================
Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33
==========================================================




More information about the CentOS mailing list