Date: Sun, 08 Feb 2009 01:41:05 -0700 From: Tim Judd <tajudd@gmail.com> To: Alexey Beketov <opt1k2@mail.ru>, freebsd general questions <freebsd-questions@freebsd.org> Subject: Re: kerberos and openldap Message-ID: <498E9AA1.8030506@gmail.com> In-Reply-To: <E1LVyfI-000FdE-00.opt1k2-mail-ru@f71.mail.ru> References: <E1LVyfI-000FdE-00.opt1k2-mail-ru@f71.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexey Beketov wrote:
> Hello, I'm trying to setup replace AD with samba, already have working samba+ldap. And stuck with kerberos.
> pkg_info:
> heimdal-1.0.1
> nss_ldap-1.264_1
> openldap-client-2.4.13
> openldap-server-2.4.13
>
>
> cat /etc/krb5.conf
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DOMAIN.LOCAL
>
> [realms]
> DOMAIN.LOCAL = { admin_server = SERVER.DOMAIN.LOCAL
> default_domain = SERVER.DOMAIN.LOCAL
> kdc = SERVER.DOMAIN.LOCAL
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
>
>
> [kdc]
> database = {
> dbname = ldap:ou=KerberosPrincipals,dc=domain,dc=local
> acl_file = /var/heimdal/kadmind.acl
> }
> addresses = 127.0.0.1 192.168.6.23
>
> cat /usr/local/etc/openldap/slapd.conf
> L: 1 C: 1 =====================================================================
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/openldap.schema
> include /usr/local/etc/openldap/schema/samba.schema
> include /usr/local/etc/openldap/schema/hdb.schema
>
>
> pidfile /var/run/openldap/slapd.pid
>
> argsfile /var/run/openldap/slapd.args
>
> modulepath /usr/local/libexec/openldap
>
>
>
>
> loglevel 256
>
> logfile /var/db/openldap-data/slapd.log
>
>
> moduleload back_bdb
>
> allow update_anon
>
> access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
> by self write
> by anonymous auth
> by * none
>
> access to *
> by self write
> by anonymous read
> by sockurl="^ldapi:///$" write
> by * none
> database bdb
>
> suffix "dc=domain,dc=local"
>
> rootdn "cn=admin,dc=domain,dc=local"
>
> rootpw {SSHA}somepasshehe
>
> directory /var/db/openldap-data
>
>
> index uid,uidNumber,gidNumber,memberUid eq
> index cn,mail,surname,givenname eq,subinitial
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index objectClass eq
> #index cn eq,sub,pres
> #index uid eq,sub,pres
> index displayName eq,sub,pres
> index krb5PrincipalName eq
>
> server# kadmin -l
> kadmin> init DOMAIN.LOCAL
> Realm max ticket life [unlimited]:
> Realm max renewable ticket life [unlimited]:
> kadmin> add admin
> Max ticket life [1 day]:
> Max renewable life [1 week]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> admin@DOMAIN.LOCAL's Password:
> Verifying - admin@DOMAIN.LOCAL's Password:
>
> ***************************erro here***********************
> admin@DOMAIN.LOCAL's Password:
> kinit: krb5_get_init_creds: Client (admin@DOMAIN.LOCAL) unknown
> ***********************************************************
>
> how to fix the error?
Have you read the FreeBSD handbook about kerberos?
Have you setup the SRV records in DNS for kerberos?
Those would be my first places to check. I'm not dedicating myself to
do an open-source AD replacement, but it is something on my list I want
to do soon. Your help and input would be appreciated, given my goal
soon too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?498E9AA1.8030506>