Hi All, I am using samba-3.2.11-0.1.145 in my setup. I have multiple domain controllers for a domain. I am confused on do I need to edit /etc/krb5.conf or not. I am using MIT kerberos (krb5-1.4.3-19.34) on SLES10. Here is what I got from Samba HOWTO: 1. Adding entries in /etc/krb5.conf for "kdc =", "admin server =" and "password server =" is only necessary if SRV records are not there in DNS server. If SRV records are there, no need to configure /etc/krb5.conf. 2. /etc/samba/smb.conf should contain the list of domain controllers in "password server =" line (space separated) or can contain *, which will get the list from DNS SRV records. 3. If SRV records are not present (may be I migrated my DNS server to linux box), then I need to manually enter "kdc =", etc, lines in /etc/krb5.conf. 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need to manually configure /etc/krb5.conf, but only single "admin server =" and "password server =" line. How does this /etc/krb5.conf entry for admin server and password server becomes HA if the machine specified in admin server and password server goes down? Any help appreciated. Thanks, Rajesh
Hi All, I am using samba-3.2.11-0.1.145 in my setup. I have multiple domain controllers for a domain. I am confused on do I need to edit /etc/krb5.conf or not. I am using MIT kerberos (krb5-1.4.3-19.34) on SLES10. Here is what I got from Samba HOWTO: 1. Adding entries in /etc/krb5.conf for "kdc =", "admin server =" and "password server =" is only necessary if SRV records are not there in DNS server. If SRV records are there, no need to configure /etc/krb5.conf. 2. /etc/samba/smb.conf should contain the list of domain controllers in "password server =" line (space separated) or can contain *, which will get the list from DNS SRV records. 3. If SRV records are not present (may be I migrated my DNS server to linux box), then I need to manually enter "kdc =", etc, lines in /etc/krb5.conf. 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need to manually configure /etc/krb5.conf, but only single "admin server =" and "password server =" line. How does this /etc/krb5.conf entry for admin server and password server becomes HA if the machine specified in admin server and password server goes down? Any help appreciated. Thanks, Rajesh
Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote:> 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need > to manually configure > /etc/krb5.conf, but only single "admin server =" and "password > server =" line. > How does this /etc/krb5.conf entry for admin server and password > server becomes > HA if the machine specified in admin server and password server goes down?As I remember, you can only have one admin server (and password server?), since kerberos only supports read-only slaves, unless Microsoft changed something in the protocol. One idea to make an admin server HA in krb5.conf could be DNS round robin, as far as multiple admin server are really supported.
Ralf Hornik Mailings wrote:> Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote: > >> 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need >> to manually configure >> /etc/krb5.conf, but only single "admin server =" and "password server >> =" line. >> How does this /etc/krb5.conf entry for admin server and password >> server becomes >> HA if the machine specified in admin server and password server goes >> down? > > As I remember, you can only have one admin server (and password > server?), since kerberos only supports read-only slaves, unless > Microsoft changed something in the protocol. > > One idea to make an admin server HA in krb5.conf could be DNS round > robin, as far as multiple admin server are really supported. > >Hi Ralf, Does other points (#1 - #3) mentioned in my mail holds true or there is still some confusion from my side? Thanks, Rajesh
Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote:>> One idea to make an admin server HA in krb5.conf could be DNS round >> robin, as far as multiple admin server are really supported. >> > Does other points (#1 - #3) mentioned in my mail holds true or > there is still > some confusion from my side?Regarding http://www.informit.com/guides/content.aspx?g=security&seqNum=37 kerberos libs should use nss (name service switch), but you can easyly figure it out by trying. ;-) When you have a working DNS with SRV records pointing g to your KDC you can simply move your krb5.conf and try a kinit to get credendials. This should work, when using DNS. However, you also might want to add some entries to nsswitch.conf like rpc: files dns services: files dns or something...
Hi Ralf, Thanks for the help. But I was asking if all 4 points mentioned in my mail are correct or not, like what if SRV records are not present, etc, then what should go in krb5.conf and smb.conf? Thanks, Rajesh Ralf Hornik Mailings wrote:> Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote: > >>> One idea to make an admin server HA in krb5.conf could be DNS round >>> robin, as far as multiple admin server are really supported. >>> >> Does other points (#1 - #3) mentioned in my mail holds true or there >> is still >> some confusion from my side? > > Regarding > > http://www.informit.com/guides/content.aspx?g=security&seqNum=37 > > kerberos libs should use nss (name service switch), but you can easyly > figure it out by trying. ;-) > > When you have a working DNS with SRV records pointing g to your KDC > you can simply move your krb5.conf and try a kinit to get credendials. > This should work, when using DNS. > > However, you also might want to add some entries to nsswitch.conf like > > rpc: files dns > services: files dns > > or something... > >
Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote:> Hi Ralf, > Thanks for the help. But I was asking if all 4 points mentioned in my mail > are correct or not, like what if SRV records are not present, etc, then what > should go in krb5.conf and smb.conf?Im not clear, what you are asking for. All points 1 - 3 are true. Point 1 and 3. Have you got a working DNS? So getting kerberos credendials works without any krb5.conf (testet 1 minute before). (You only have to attach the kerberos realm when kinit e.g. "kinit user at REALM.ORG"). If not you have to set krb5.conf like: [libdefaults] default_realm = REALM.ORG [realms] REALM.ORG = { kdc = master.realm.org:88 kdc = slave.realm.org:88 admin_server = master.realm.org:749 default_domain = realm.org } [domain_realm] .realm.org = REALM.ORG realm.org = REALM.ORG Point 2. This is explained by itself and correct.
On Tue, Dec 15, 2009 at 4:48 AM, Rajesh Ghanekar <rajesh_ghanekar at symantec.com> wrote:> Hi All, > ?I am using samba-3.2.11-0.1.145 in my setup. I have multiple domain > controllers > for a domain. I am confused on do I need to edit /etc/krb5.conf or not. I am > using > MIT kerberos (krb5-1.4.3-19.34) on SLES10. > > Here is what I got from Samba HOWTO: > > 1. Adding entries in /etc/krb5.conf for "kdc =", "admin server =" and > "password server =" > ?is only necessary if SRV records are not there in DNS server. If SRV > records are there, > ?no need to configure /etc/krb5.conf. > > 2. /etc/samba/smb.conf should contain the list of domain controllers in > "password server =" line > (space separated) or can contain *, which will get the list from DNS SRV > records. > > 3. If SRV records are not present (may be I migrated my DNS server to linux > box), then > I need to manually enter "kdc =", etc, lines in /etc/krb5.conf.Why not put put the SRV records into your own Linux DNS?> > 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need to > manually configure > /etc/krb5.conf, but only single "admin server =" and "password server =" > line. > How does this /etc/krb5.conf entry for admin server and password server > becomes > HA if the machine specified in admin server and password server goes down? > > Any help appreciated. > > Thanks, > Rajesh > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >