kerberos configuration in samba
in [Samba]
|
From: Ralf Hornik Mailings on 15 Dec 2009 06:10 Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need > to manually configure > /etc/krb5.conf, but only single "admin server =" and "password > server =" line. > How does this /etc/krb5.conf entry for admin server and password > server becomes > HA if the machine specified in admin server and password server goes down? As I remember, you can only have one admin server (and password server?), since kerberos only supports read-only slaves, unless Microsoft changed something in the protocol. One idea to make an admin server HA in krb5.conf could be DNS round robin, as far as multiple admin server are really supported. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Rajesh Ghanekar on 15 Dec 2009 06:20 Ralf Hornik Mailings wrote: > Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > >> 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need >> to manually configure >> /etc/krb5.conf, but only single "admin server =" and "password server >> =" line. >> How does this /etc/krb5.conf entry for admin server and password >> server becomes >> HA if the machine specified in admin server and password server goes >> down? > > As I remember, you can only have one admin server (and password > server?), since kerberos only supports read-only slaves, unless > Microsoft changed something in the protocol. > > One idea to make an admin server HA in krb5.conf could be DNS round > robin, as far as multiple admin server are really supported. > > Hi Ralf, Does other points (#1 - #3) mentioned in my mail holds true or there is still some confusion from my side? Thanks, Rajesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Ralf Hornik Mailings on 15 Dec 2009 08:10 Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: >> One idea to make an admin server HA in krb5.conf could be DNS round >> robin, as far as multiple admin server are really supported. >> > Does other points (#1 - #3) mentioned in my mail holds true or > there is still > some confusion from my side? Regarding http://www.informit.com/guides/content.aspx?g=security&seqNum=37 kerberos libs should use nss (name service switch), but you can easyly figure it out by trying. ;-) When you have a working DNS with SRV records pointing g to your KDC you can simply move your krb5.conf and try a kinit to get credendials. This should work, when using DNS. However, you also might want to add some entries to nsswitch.conf like rpc: files dns services: files dns or something... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Rajesh Ghanekar on 15 Dec 2009 08:40 Hi Ralf, Thanks for the help. But I was asking if all 4 points mentioned in my are correct or not, like what if SRV records are not present, etc, then what should go in krb5.conf and smb.conf? Thanks, Rajesh Ralf Hornik Mailings wrote: > Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > >>> One idea to make an admin server HA in krb5.conf could be DNS round >>> robin, as far as multiple admin server are really supported. >>> >> Does other points (#1 - #3) mentioned in my mail holds true or there >> is still >> some confusion from my side? > > Regarding > > http://www.informit.com/guides/content.aspx?g=security&seqNum=37 > > kerberos libs should use nss (name service switch), but you can easyly > figure it out by trying. ;-) > > When you have a working DNS with SRV records pointing g to your KDC > you can simply move your krb5.conf and try a kinit to get credendials. > This should work, when using DNS. > > However, you also might want to add some entries to nsswitch.conf like > > rpc: files dns > services: files dns > > or something... > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Ralf Hornik Mailings on 15 Dec 2009 09:00
Rajesh Ghanekar <rajesh_ghanekar(a)symantec.com> wrote: > Hi Ralf, > Thanks for the help. But I was asking if all 4 points mentioned in my mail > are correct or not, like what if SRV records are not present, etc, then what > should go in krb5.conf and smb.conf? Im not clear, what you are asking for. All points 1 - 3 are true. Point 1 and 3. Have you got a working DNS? So getting kerberos credendials works without any krb5.conf (testet 1 minute before). (You only have to attach the kerberos realm when kinit e.g. "kinit user(a)REALM.ORG"). If not you have to set krb5.conf like: [libdefaults] default_realm = REALM.ORG [realms] REALM.ORG = { kdc = master.realm.org:88 kdc = slave.realm.org:88 admin_server = master.realm.org:749 default_domain = realm.org } [domain_realm] .realm.org = REALM.ORG realm.org = REALM.ORG Point 2. This is explained by itself and correct. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |