[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Wed Apr 13 10:11:00 UTC 2011
Alain Péan <alain.pean at lpp.polytechnique.fr>

Le 13/04/2011 12:03, John Hodrien a écrit :
> On Wed, 13 Apr 2011, Alain Péan wrote:
>> Hi John,
>> There are only two realms I mentionned, LAB-LPP.LOCAL, and
>> TEST-LPP.LOCAL. I am currently doing test with the latter, and indeed,
>> pc-2003-test is the AD DC, so the KDC for TEST-LPP.LOCAL. The fdqn is
>> also pc-2003-test.test-lpp.local.
>> 'kinit <username>' works,
>> [root at centos-test etc]# kinit pean
>> Password for pean at TEST-LPP.LOCAL:
>> [root at centos-test etc]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: pean at TEST-LPP.LOCAL
>> Valid starting     Expires            Service principal
>> 04/13/11 11:41:09  04/13/11 18:21:09  
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> But nevertheless, it is asking for password when I issue the 'net ads
>> join -U pean' command...
>> As you understood, my KDC server is a windows 2003 R2 Active directory
>> server. I don't understand where it is looking for the credentials. I
>> tried to create the krb5.keytab with ktpass on the windows server, and
>> replace the one on the centos-test, but it does not work either. There
>> is something, perhaps obvious, I miss. I also tried with 'validate =
>> true' in /etc/krb5.conf, but with no success.
> Have you tried with validate = false?
> I'd expect that to work, but it's not what you want to be doing long 
> term.

I just tried, before reading your answer, and indeed, it works ! I can 
now connect without ldap, only kerberos in system-auth-ac (/etc/pam.d).

>> I found also that there is a 'krb5.conf.TEST-LPP' file in
>> /var/lib/samba/smb_krb5, and this one is certainly used by samba (I
>> replaced old version with samba3x, 3.5.4, and put 'kerberos method =
>> secrets and keytab', instead of 'use kerberos keytab = true' that I used
>> previously.
> Does that config file conflict in any way with the system krb5.conf?
No, it is the newer syntax of 3.5.4, it's all.
>> I don't know if you have, or anyone else, an idea ?
> Ah, I'm using samba-common-3.0.33 for the join not samba3x, so there's
> possibly some subtle differences.
No, it was the same with 3.0.33. I only tried with 3.5.4, when I saw 
that it failed with the previous version.
> The join is reliant on /etc/samba/smb.conf (and presumably that
> krb5.conf.TEST-LPP) though, so you'd need to double check that's all 
> correct.

I'll try know, with the change in /etc/krb5.conf (validate = false), if 
it works now.

Thanks for your help !


Alain Péan - LPP/CNRS
Administrateur Système/Réseau
Laboratoire de Physique des Plasmas - UMR 7648
Observatoire de Saint-Maur
4, av de Neptune, Bat. A
94100 Saint-Maur des Fossés
Tel : 01-45-11-42-39 - Fax : 01-48-89-44-33