Linux authenticating on AD via Kerberos
George Magklaras
georgios at ulrik.uio.no
Thu Jul 13 10:55:21 UTC 2006
I would also check your timezones (and daylight savings on the Windows
side). Also if you have access to a reliable NTP server, you should
really hook up the RedHat and your kdc box to it. It's a good idea to
have synced time for all sorts of other reasons, but especially for
avoiding Kerberos clockskew thresholds. I am not sure what the default
clockskew is, but you could play with it in the libdefaults section of
the file if you need.
--
--
George B. Magklaras
Senior Computer Systems Engineer/UNIX Systems Administrator
The Biotechnology Centre of Oslo,
University of Oslo
http://www.biotek.uio.no/
EMBnet Norway: http://www.biotek.uio.no/EMBNET/
Fábio Augusto wrote:
> Hello There!
>
> I'm trying to configure a Red Hat AS 4 to authenticate via Kerberos on my
> Windows 2003 Active Diretory
> .
> The solution is very simple, the users are going to be created on the Linux
> machine (/etc/passwd) and only the password is goingt to be read from the
> Active Directory
> .
> I have configured the AD and the Windows machines can logon normally
> into it
> .
> My Linux configuration is based on the kerberos configuration file
> /etc/krb5.conf, that follows:
>
> [administrator at linux ~]$ cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> # clockskew = 300
> default_realm = CACDOMAIN.BR.IBM.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> CACDOMAIN.BR.IBM.COM = {
> kdc = win2k3-vm.cacdomain.br.ibm.com:88
> # admin_server = kerberos.example.com:749
> default_domain = CACDOMAIN.BR.IBM.COM
> }
>
> [domain_realm]
> .CACDOMAIN.BR.IBM.COM = CACDOMAIN.BR.IBM.COM
> # example.com = EXAMPLE.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> .
> I'm using the command "#kinit username" to check if my configuration is
> correct before changing the pam files to define that the linux is going to
> search for the password at the Active Directory
> .
> I could check that the password is being read from the active directory,
> because I have created an user at /etc/passwd named administrator (the same
> username exists on the AD) and when I type a wrong password it returns an
> error reporting that the password is wrong and if I try to use an user that
> doesn't exists in the AD, it reports it too
> .
> The problem happens when I try to use the correct username/password that
> really exists at the Active Directory, so I receive the
> following error message:
>
> [administrator at linux ~]$ kinit
> Password for administrator at CACDOMAIN.BR.IBM.COM:
> kinit(v5): Clock skew too great while getting initial credentials
>
>
> .
> Reading some reports of the same error at the Internet, I could check that
> it means that my AD Server clock has a different time
> comparing to my linux kerberos client
> .
> I have checked the time on both machines and it's not so different (just
> some seconds of difference):
>
> - On Windows
>
> C:\Documents and Settings\Administrator>time
> The current time is: 14:53:22.29
> Enter the new time
>
> - On Linux
>
> [administrator at linux ~]$ date
> Wed Jul 12 14:53:53 BRT 2006
>
> .
> Do you have any idea about the problem that can cause this error message to
> occur?
>
> Best Regards,
> Fabio Martins
>
More information about the redhat-list
mailing list