From owner-freebsd-questions@FreeBSD.ORG Sun Feb 8 08:41:12 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1F2B1065670 for ; Sun, 8 Feb 2009 08:41:12 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id A02AA8FC1D for ; Sun, 8 Feb 2009 08:41:12 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1494344rvf.43 for ; Sun, 08 Feb 2009 00:41:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=VoL/ru+PrNciszs26o/r+2dTKAdGfKMdylxZQLIOClk=; b=AFxwvOg0yJrFB+6IlaJqUwV03DxzL78uvjNQpnJLYk38W2P+wzADLaXkZh4D0TAaBE 1z2wV7a0nC6yXclSKqo9UrwLAhl8kPVNCKo5SXUYm3Cxo+GDF5FNS8vCV38EFT83kfuz 4c5ysLPr/xBmVu3CA+Y1f7a0fP+VX4iILK6hA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=UQHDqcIqrr2OjhtgTS3xT/EHxnz0YdyGIsHhasrSYP3nuu7meLqMY/jUR6m6T8/hDy +StKg5oL59ZmCLc7mLifG3m0HZq88LWIOiWZCHmlRqEJ/F2WE0Yiv5yALLrM1631Gnyg mwnd/8e5wuwtuGOKG6UGydumOntss+rH1qbEI= Received: by 10.140.127.20 with SMTP id z20mr2831767rvc.100.1234082471797; Sun, 08 Feb 2009 00:41:11 -0800 (PST) Received: from ?192.168.4.70? (c-68-35-57-46.hsd1.nm.comcast.net [68.35.57.46]) by mx.google.com with ESMTPS id k37sm8528211rvb.0.2009.02.08.00.41.10 (version=SSLv3 cipher=RC4-MD5); Sun, 08 Feb 2009 00:41:11 -0800 (PST) Message-ID: <498E9AA1.8030506@gmail.com> Date: Sun, 08 Feb 2009 01:41:05 -0700 From: Tim Judd User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Alexey Beketov , freebsd general questions References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: kerberos and openldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2009 08:41:13 -0000 Alexey Beketov wrote: > Hello, I'm trying to setup replace AD with samba, already have working samba+ldap. And stuck with kerberos. > pkg_info: > heimdal-1.0.1 > nss_ldap-1.264_1 > openldap-client-2.4.13 > openldap-server-2.4.13 > > > cat /etc/krb5.conf > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DOMAIN.LOCAL > > [realms] > DOMAIN.LOCAL = { admin_server = SERVER.DOMAIN.LOCAL > default_domain = SERVER.DOMAIN.LOCAL > kdc = SERVER.DOMAIN.LOCAL > } > > [domain_realm] > .domain.local = DOMAIN.LOCAL > > > [kdc] > database = { > dbname = ldap:ou=KerberosPrincipals,dc=domain,dc=local > acl_file = /var/heimdal/kadmind.acl > } > addresses = 127.0.0.1 192.168.6.23 > > cat /usr/local/etc/openldap/slapd.conf > L: 1 C: 1 ===================================================================== > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/misc.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/openldap.schema > include /usr/local/etc/openldap/schema/samba.schema > include /usr/local/etc/openldap/schema/hdb.schema > > > pidfile /var/run/openldap/slapd.pid > > argsfile /var/run/openldap/slapd.args > > modulepath /usr/local/libexec/openldap > > > > > loglevel 256 > > logfile /var/db/openldap-data/slapd.log > > > moduleload back_bdb > > allow update_anon > > access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword > by self write > by anonymous auth > by * none > > access to * > by self write > by anonymous read > by sockurl="^ldapi:///$" write > by * none > database bdb > > suffix "dc=domain,dc=local" > > rootdn "cn=admin,dc=domain,dc=local" > > rootpw {SSHA}somepasshehe > > directory /var/db/openldap-data > > > index uid,uidNumber,gidNumber,memberUid eq > index cn,mail,surname,givenname eq,subinitial > index sambaSID eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index objectClass eq > #index cn eq,sub,pres > #index uid eq,sub,pres > index displayName eq,sub,pres > index krb5PrincipalName eq > > server# kadmin -l > kadmin> init DOMAIN.LOCAL > Realm max ticket life [unlimited]: > Realm max renewable ticket life [unlimited]: > kadmin> add admin > Max ticket life [1 day]: > Max renewable life [1 week]: > Principal expiration time [never]: > Password expiration time [never]: > Attributes []: > admin@DOMAIN.LOCAL's Password: > Verifying - admin@DOMAIN.LOCAL's Password: > > ***************************erro here*********************** > admin@DOMAIN.LOCAL's Password: > kinit: krb5_get_init_creds: Client (admin@DOMAIN.LOCAL) unknown > *********************************************************** > > how to fix the error? Have you read the FreeBSD handbook about kerberos? Have you setup the SRV records in DNS for kerberos? Those would be my first places to check. I'm not dedicating myself to do an open-source AD replacement, but it is something on my list I want to do soon. Your help and input would be appreciated, given my goal soon too.