[CentOS] Kerberos/LDAP authentication no more working in 5.6 ?

Wed Apr 13 12:05:10 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Wed, 13 Apr 2011, Alain Péan wrote:

> I'll try know, with the change in /etc/krb5.conf (validate = false), if
> it works now.

It won't (or at least it shouldn't).  Validate is essential as it confirms
that the KDC providing the TGT to the user is the same KDC that you registered
with when you joined the domain.  If you don't have that check, I believe it's
hideously insecure.

But the samba join is affected by many things.  /etc/hosts, /etc/krb5.conf,
/etc/samba/smb.conf are all well worth double checking for correctness.

So you've still got problems that need sorting.  If validate doesn't work,
then there are keytab issues.  The keytab only needs to contain a valid
principal for the domain, it doesn't even need to be a credential for that
machine.  Normally it *would* be for that machine, since you'd generate it
through a 'net ads join' with an appropriate smb.conf.

> Thanks for your help !

No problem.

jh