Linux authenticating on AD via Kerberos
Fábio Augusto
fabiomirmar at gmail.com
Wed Jul 12 17:58:38 UTC 2006
Hello There!
I'm trying to configure a Red Hat AS 4 to authenticate via Kerberos on my
Windows 2003 Active Diretory
.
The solution is very simple, the users are going to be created on the Linux
machine (/etc/passwd) and only the password is goingt to be read from the
Active Directory
.
I have configured the AD and the Windows machines can logon normally into it
.
My Linux configuration is based on the kerberos configuration file
/etc/krb5.conf, that follows:
[administrator at linux ~]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
# clockskew = 300
default_realm = CACDOMAIN.BR.IBM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
CACDOMAIN.BR.IBM.COM = {
kdc = win2k3-vm.cacdomain.br.ibm.com:88
# admin_server = kerberos.example.com:749
default_domain = CACDOMAIN.BR.IBM.COM
}
[domain_realm]
.CACDOMAIN.BR.IBM.COM = CACDOMAIN.BR.IBM.COM
# example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
.
I'm using the command "#kinit username" to check if my configuration is
correct before changing the pam files to define that the linux is going to
search for the password at the Active Directory
.
I could check that the password is being read from the active directory,
because I have created an user at /etc/passwd named administrator (the same
username exists on the AD) and when I type a wrong password it returns an
error reporting that the password is wrong and if I try to use an user that
doesn't exists in the AD, it reports it too
.
The problem happens when I try to use the correct username/password that
really exists at the Active Directory, so I receive the
following error message:
[administrator at linux ~]$ kinit
Password for administrator at CACDOMAIN.BR.IBM.COM:
kinit(v5): Clock skew too great while getting initial credentials
.
Reading some reports of the same error at the Internet, I could check that
it means that my AD Server clock has a different time
comparing to my linux kerberos client
.
I have checked the time on both machines and it's not so different (just
some seconds of difference):
- On Windows
C:\Documents and Settings\Administrator>time
The current time is: 14:53:22.29
Enter the new time
- On Linux
[administrator at linux ~]$ date
Wed Jul 12 14:53:53 BRT 2006
.
Do you have any idea about the problem that can cause this error message to
occur?
Best Regards,
Fabio Martins
--
Fábio Augusto Miranda Martins
E-mail: fabiomirmar at gmail.com
More information about the redhat-list
mailing list