Linux authenticating on AD via Kerberos

Fábio Augusto fabiomirmar at gmail.com
Wed Jul 12 17:58:38 UTC 2006 

Hello There!

I'm trying to configure a Red Hat AS 4 to authenticate via Kerberos on my
Windows 2003 Active Diretory
.
The solution is very simple, the users are going to be created on the Linux
machine (/etc/passwd) and only the password is goingt to be read from the
Active Directory
.
I have configured the AD and the Windows machines can logon normally into it
.
My Linux configuration is based on the kerberos configuration file
/etc/krb5.conf, that follows:

[administrator at linux ~]$ cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
# clockskew = 300
 default_realm = CACDOMAIN.BR.IBM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 CACDOMAIN.BR.IBM.COM = {
  kdc = win2k3-vm.cacdomain.br.ibm.com:88
#  admin_server = kerberos.example.com:749
  default_domain = CACDOMAIN.BR.IBM.COM
 }

[domain_realm]
 .CACDOMAIN.BR.IBM.COM = CACDOMAIN.BR.IBM.COM
# example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


.
I'm using the command "#kinit username" to check if my configuration is
correct before changing the pam files to define that the linux is going to
search for the password at the Active Directory
.
I could check that the password is being read from the active directory,
because I have created an user at /etc/passwd named administrator (the same
username exists on the AD) and when I type a wrong password it returns an
error reporting that the password is wrong and if I try to use an user that
doesn't exists in the AD, it reports it too
.
The problem happens when I try to use the correct username/password that
really exists at the Active Directory, so I receive the
following error message:

[administrator at linux ~]$ kinit
Password for administrator at CACDOMAIN.BR.IBM.COM:
kinit(v5): Clock skew too great while getting initial credentials


.
Reading some reports of the same error at the Internet, I could check that
it means that my AD Server clock has a different time
comparing to my linux kerberos client
.
I have checked the time on both machines and it's not so different (just
some seconds of difference):

- On Windows

C:\Documents and Settings\Administrator>time
The current time is: 14:53:22.29
Enter the new time

- On Linux

[administrator at linux ~]$ date
Wed Jul 12 14:53:53 BRT 2006

.
Do you have any idea about the problem that can cause this error message to
occur?

Best Regards,
Fabio Martins

-- 
Fábio Augusto Miranda Martins
E-mail: fabiomirmar at gmail.com

More information about the redhat-list mailing list