Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 08 Feb 2009 04:40:56 +0300
From:      Alexey Beketov <opt1k2@mail.ru>
To:        freebsd-questions@freebsd.org
Subject:   kerberos and openldap
Message-ID:  <E1LVyfI-000FdE-00.opt1k2-mail-ru@f71.mail.ru>
next in thread | raw e-mail | index | archive | help 
Hello, I'm trying to setup replace AD with samba, already have working samba+ldap. And stuck with kerberos.
pkg_info:
heimdal-1.0.1
nss_ldap-1.264_1
openldap-client-2.4.13
openldap-server-2.4.13


cat /etc/krb5.conf
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL

[realms]
DOMAIN.LOCAL = {    admin_server = SERVER.DOMAIN.LOCAL
    default_domain = SERVER.DOMAIN.LOCAL
    kdc = SERVER.DOMAIN.LOCAL
}

[domain_realm]
.domain.local = DOMAIN.LOCAL


[kdc]
database = {
           dbname = ldap:ou=KerberosPrincipals,dc=domain,dc=local
           acl_file = /var/heimdal/kadmind.acl
           }
addresses = 127.0.0.1 192.168.6.23

cat /usr/local/etc/openldap/slapd.conf
L: 1 C: 1 =====================================================================
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/hdb.schema


pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

modulepath      /usr/local/libexec/openldap




loglevel 256

logfile       /var/db/openldap-data/slapd.log


moduleload      back_bdb

allow update_anon

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
    by self write
    by anonymous auth
    by * none

access to *
        by self write
        by anonymous read
        by sockurl="^ldapi:///$" write
        by * none
database        bdb

suffix          "dc=domain,dc=local"

rootdn          "cn=admin,dc=domain,dc=local"

rootpw          {SSHA}somepasshehe

directory       /var/db/openldap-data


index         uid,uidNumber,gidNumber,memberUid   eq
index         cn,mail,surname,givenname           eq,subinitial
index         sambaSID                            eq
index         sambaPrimaryGroupSID                eq
index         sambaDomainName                     eq
index   objectClass             eq
#index  cn                      eq,sub,pres
#index  uid                     eq,sub,pres
index   displayName             eq,sub,pres
index   krb5PrincipalName       eq

server# kadmin -l
kadmin> init DOMAIN.LOCAL
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
admin@DOMAIN.LOCAL's Password: 
Verifying - admin@DOMAIN.LOCAL's Password: 

***************************erro here***********************
admin@DOMAIN.LOCAL's Password: 
kinit: krb5_get_init_creds: Client (admin@DOMAIN.LOCAL) unknown
***********************************************************

how to fix the error?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1LVyfI-000FdE-00.opt1k2-mail-ru>