Installing heimdal-kdc
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Mar 6 08:47:51 EST 2019
You need to tell the Kerberos library where to find your kdc. You have basically two options:
1) Add the following to /etc/krb5.conf on every client:
[realms]
MYDOMAIN.DE = {
kdc = kdc.mydomain.de:88
}
2) Publish SRV records in DNS:
_kerberos._udp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
_kerberos._tcp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
I strongly recommend the SRV approach, particularly if you have a lot of clients, or expect any that you don't directly control.
________________________________
From: Lothar Schilling <ls at proasyl.de>
Sent: Wednesday, March 6, 2019 08:30
To: kerberos at mit.edu
Subject: Installing heimdal-kdc
Hi,
being a newbie to kerberos I am trying to setup heimdal-kdc 7.1.0 on a
Debian 9.8 VM. Heimdal because we need Kerberos to be compliant with
Samba 4 acting as an ADDC. So here's what I did:
/apt-get install heimdal-kdc. /It's up and running: ps ax =>
/usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf/
//systemctl stop heimdal-kdc//
//
///etc/heimdal-kdc/kdc-conf//
//[libdefaults]//
// default_realm = MYDOMAIN.DE//
//[domain_realm]//
// .MYDOMAIN.DE = MYDOMAIN.DE//
//[logging]//
//kdc = FILE:/var/log/heimdal-kdc.log//
//[kdc]//
//database = {//
// dbname = /var/lib/heimdal-kdc/heimdal//
// kdc = KDC.MYDOMAIN.DE:88//
// realm = MYDOMAIN.DE//
// mkey_file = /var/lib/heimdal-kdc/m-key//
// acl_file = /etc/heimdal-kdc/kadmind.acl//
// log_file = /var/lib/heimdal-kdc/log//
//}//
//
//systemctl start heimdal-kdc//
/
/kadmin -l/ is working, /list */ is giving me this:
admin
default
kadmin/admin
kadmin/hprop
kadmin/changepw
krbtgt/MYDOMAIN.DE
changepw/kerberos
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie at WELLKNOWN:ORG.H5L
But /kadmin/ (not-local) is not: kadm5_init_with_password: No KDC found
for realm MYDOMAIN.DE.
I thought it might be DNS-related, so I made sure nsswitch.conf fits the
bill, added the server's name to /etc/hosts. I even set up bind9 on that
very machine:
KDC.MYDOMAIN.DE. 43200 IN A 192.168.27.3
Also made sure Kerberos is listening on port 88. I even tried localhost
and IP address instead of KDC.MYDOMAIN.DE in kdc.conf - didn't help either.
I've been trying now for 2 days, it's driving me nuts. Would anybody
please enlighten me what kind of mistake I make?
Thank you
Lothar Schilling
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list