On Wed, 2005-04-06 at 17:35 +0100, Mário Gamito wrote:
> Hi Sean,
>
> No, i did nothing to krb5.conf
> Didn't find any reference to that.
>
> Can you send me your example, please ?
>
>
> I only put
>
> tux.dte.ua.pt TUX.DTE.UA.PT
>
> in krb.realms
Mario-
Take a look at the stock /etc/krb5.conf, and change all the
example.com/EXAMPLE.COM settings to match your domain/realm
settings. Once you can kinit as zbr, you'll know that your kerberos
setup is functional.
For example, at UCSD, the campus active directory is (some would argue,
cleverly :) called AD.UCSD.EDU, so a working krb5.conf looks like
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.UCSD.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AD.UCSD.EDU = {
kdc = ad.ucsd.edu:88
admin_server = ad.ucsd.edu:749
default_domain = AD.UCSD.EDU
}
[domain_realm]
.ucsd.edu = AD.UCSD.EDU
ucsd.edu = AD.UCSD.EDU
.ad.ucsd.edu = AD.UCSD.EDU
ad.ucsd.edu = AD.UCSD.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
This is pretty much the stock krb5.conf after replacing all the
example.com/EXAMPLE.COM with ad.ucsd.edu/AD.UCSD.EDU with a very minor
tweak [domain_realm] section.
--
Sean