Apologies if this is a re-post. I've been googling and researching the topic for over three weeks now and I've come up against the same problem over and over again and I haven't managed to get around it.
Disclaimer: I am not a sysadmin although I have been forced into the position at work.
I've been tasked to implement an Active Directory (on Server 2008) config for our environment containing Windows XP, Windows 7, Server 2003, Server 2008, Server 2008 R2 and Red Hat Enterprise 5.10 boxes.
Easy enough. Get a quick guide online, setup a test VM server, connect my Win7 client to my new AD. Works.
Repeat but try to connect a RHEL 5.10 VM to the AD? No dice.
I've followed about 3 different 'guides' on how to setup Linux to connect to AD.
The more thorough one would be: Authenticating UNIX/Linux to Windows 2008R2
Specifically, the RHEL setup: Part 3 : RHEL 5.6
Listed plan of attack:
- Get ldapsearch working with simple bind, unencrypted
- Configure LDAP
- Verify LDAP works with getent(1), id(1), etc
- Export the Root CA cert from Windows to UNIX
- Check the CA cert works with OpenSSL
- Import the CA cert
- Get LDAPS working with ldapsearch
- Change LDAP to use LDAPS rather than LDAP
- Verify Kerberos works: Initially, without a host principal (krb5.keytab)
- Configure PAM to use Kerberos (edit /etc/pam.conf)
- Verify that services like login can use kerberised IDs and that the password works
- Create a host principal keytab in Windows. Import it into UNIX.
- Verify that kinit -k works
- Edit /etc/krb5/krb5.conf to include “verify_ap_req_nofail = true” in the [libdefaults] section. This will secure the UNIX box to prove it is talking with the bonefide KDC.
- Get Single-Sign-On working
Followed the steps word for word, changing IPs and Hostnames to match my test environment.
One exception was made:
C:\>ktpass /princ host/rhel5host1.example.com@EXAMPLE.COM \
/ptype KRB5_NT_PRINCIPAL /out C:\temp\rhel5host1.keytab /pass mypass \
/crypto AES256-SHA1 /mapuser EXAMPLE\rhel5host1
Got the error message: getting target domain for specified user.
C:\>ktpass /princ host/rhel5host1.example.com@EXAMPLE.COM \
/ptype KRB5_NT_PRINCIPAL /out C:\temp\rhel5host1.keytab /pass mypass \
/crypto AES256-SHA1 /mapuser EXAMPLE\rhel5host1$
Specifying a machine account with the dollar sign, and KTPASS runs through without error.
Everything works 100% up until we test Kerberos:
[root@rhelad ~]# kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials
OK, google the error and we get:
Your kerberos principal may differ from your username on your local
system.
credentials krb5_get_init_creds_password() failed: Client not found in
Kerberos database Make sure that you're typing in the right name and
the server has the right name (double check the account tab of the
user, especially the realm)
So I checked and fiddled and googled and I've come up with nothing. According to me the config on RHEL is correct and I've got the computer and user accounts created on the AD, no problem.
My assumption here is that I've configured RHEL correctly, but messed up somewhere in creating the RHEL based clients setup on AD. Yes, I have enabled and configured the UNIX attributes, so its not that.
Could someone please point me to / show me the correct steps to add and config UNIX computers and users on AD? I'd be happy to 'dump' configs, if its so desired.
No comments:
Post a Comment