Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Configure /etc/krb5.conf

With both MIT and Heimdal Kerberos, it is unnecessary to configure the /etc/krb5.conf, and it may be detrimental.

Microsoft ADS automatically create SRV records in the DNS zone _kerberos._tcp.REALM.NAME for each KDC in the realm. This is part of the installation and configuration process used to create an Active Directory domain. A KDC is a Kerberos Key Distribution Center and forms an integral part of the Microsoft active directory infrastructure.

UNIX systems can use kinit and the DES-CBC-MD5 or DES-CBC-CRC encryption types to authenticate to the Windows 2000 KDC. For further information regarding Windows 2000 ADS kerberos interoperability please refer to the Microsoft Windows 2000 Kerberos Interoperability guide. Another very useful document that may be referred to for general information regarding Kerberos interoperability is RFC1510. This RFC explains much of the magic behind the operation of Kerberos.

MIT's, as well as Heimdal's, recent KRB5 libraries default to checking for SRV records, so they will automatically find the KDCs. In addition, krb5.conf only allows specifying a single KDC, even there if there may be more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available.

When manually configuring krb5.conf, the minimal configuration is: 

[libdefaults]
	default_realm = YOUR.KERBEROS.REALM

[realms]
	YOUR.KERBEROS.REALM = {
	kdc = your.kerberos.server
	}

[domain_realms]
	.kerberos.server = YOUR.KERBEROS.REALM

When using Heimdal versions before 0.6, use the following configuration settings: 

[libdefaults]
	default_realm      = YOUR.KERBEROS.REALM
	default_etypes     = des-cbc-crc des-cbc-md5
	default_etypes_des = des-cbc-crc des-cbc-md5

[realms]
        YOUR.KERBEROS.REALM = {
        kdc = your.kerberos.server
	}

[domain_realms]
        .kerberos.server = YOUR.KERBEROS.REALM

Test your config by doing a kinit USERNAME @ REALM and making sure that your password is accepted by the Win2000 KDC.

With Heimdal versions earlier than 0.6.x you can use only newly created accounts in ADS or accounts that have had the password changed once after migration, or in case of Administrator after installation. At the moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6 (and no default etypes in krb5.conf). Unfortunately, this whole area is still in a state of flux.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire