Cannot integrate AD with krb5

Leo Xiao lxiao at vmware.com
Thu Oct 24 06:22:23 EDT 2013 

Thanks a lot Steve. I didn't described it clear.
Because I'm simulate a customer env now. The env is:
1. They have a Kerberos+bind server A.test2.local.
2. And then they have a AD+DNS server B.test1.local.
3. They want login machine C (the workstation, in test1.local) with users
on machine A (the users are mapped with AD user on machineB).

Regards,
Leo

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of steve
Sent: Thursday, October 24, 2013 6:03 PM
To: kerberos at mit.edu
Subject: Re: Cannot integrate AD with krb5

On Thu, 2013-10-24 at 02:35 -0700, Leo Xiao wrote:
> Hi,
> 
> Appreciate it very much Steve! Your blog is quite helpful for me to 
> make my smb available to windows user.
> 
> And now I need to check Kerberos authentication (user mapped with AD). 
> So I must work on krb5 and bind.

I can't understand why you are installing bind on the ws. On the ws, this
is all you need for krb5.conf:

[libdefaults]
        default_realm = TEST1.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

Make sure that:
host test1.local
returns correctly and then you should be able to:
kinit Administrator at TEST1.LOCAL

Now, simply join the domain:
net ads join -UAdminisrator
That's it!

> And must resolve the network problem between AD and Kerberos.
> 
Check that the DNS on the ws has the w2008 DC as its main DNS.

HTH
Steve


> Regards,
> Leo
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On 
> Behalf Of steve
> Sent: Thursday, October 24, 2013 3:51 PM
> To: kerberos at mit.edu
> Subject: Re: Cannot integrate AD with krb5
> 
> On Wed, 2013-10-23 at 23:45 -0700, Leo Xiao wrote:
> > Dear all,
> > 
> >  
> > 
> > I'm trying to integrated my AD with krb5.:
> > 
> > 1.       I have a existing AD(with DNS on the same host) test1.local
on
> > win2k8.
> > 
> > 2.       I created a krb5 and bind9 on RHEL5. 
> > 
> > 3.       I want to integrated AD and krb5 by mapping AD user to a
> Kerberos
> > user. Then I can login my workstation with Kerberos user.
> > 
> Hi
> The workstation (ws) will need a MACHINE$ key for the domain before 
> users can authenticate against your AD. The easiest way to get that is 
> to use winbind and set:
> kerberos method = system keytab
> in /etc/samba/smb.conf
> The necessary keytab will then be created when you join the ws to the
> domain:
> net ads join -Uadmin.user
> should get you there.
> 
> We did this a while ago:
> http://linuxcostablanca.blogspot.com.es/2012/08/winbind-on-samba4-ii.h
> tml
> 
> You don't need Bind. Set the primary DNS on the ws to point to the IP 
> of test1.local. You shouldn't need to add a forwarder.
> HTH
> Steve
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list