Comments on: Integrating LDAP and Kerberos: Part One (Kerberos) http://www.linux-mag.com/id/4738/ Open Source, Open Standards Sun, 12 Oct 2008 06:38:01 +0000 http://wordpress.org/?v=2.0.11 by: bsdlogical http://www.linux-mag.com/id/4738/#comment-1472 Thu, 11 Sep 2008 23:44:09 +0000 http://www.linux-mag.com/id/4738/#comment-1472 While following this article (and Part Two), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I've made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I've inadvertently made any mistakes in these comments, please post that as well so others won't be misled. Problems/Comments in Part 1: 1) I had to run sudo dpkg-reconfigure krb5-kdc before starting up the KDC and admin server with /etc/init.d/krb5-admin-server start and /etc/init.d/krb5-kdc start. The answers to the questions in order were: Yes to Create Kerberos KDC configuration automatically, Disable Kerberos v4 compatibility mode, No to run a ticket conversion daemon, and No to purging data when krb5-kdc package is removed. See also #3. 2) There's a significant problem in the example krb5.conf posted above that took me ages to figure out. There's actually an equals sign missing after the default_realm parameter. 3) I also had to set up the database (by running kdb5_util, as well as everything in the Setting up the database section) before starting the KDC and admin server. 4) In Ubuntu, libsasl2-gssapi-mit is no longer available. It's replaced by libsasl2-modules-gssapi-mit. I executed the following: apt-get install libpam-krb5 libsasl2-dev libsasl2-modules-gssapi-mit libsasl2-modules 5) I was not able to login as a principal I just added, even with the PAM configuration correct (under the Testing section). I had to get LDAP up and running first. (continued in Part 2) While following this article (and Part Two), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I’ve made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I’ve inadvertently made any mistakes in these comments, please post that as well so others won’t be misled.

Problems/Comments in Part 1:
1) I had to run sudo dpkg-reconfigure krb5-kdc before starting up the KDC and admin server with /etc/init.d/krb5-admin-server start and /etc/init.d/krb5-kdc start. The answers to the questions in order were: Yes to Create Kerberos KDC configuration automatically, Disable Kerberos v4 compatibility mode, No to run a ticket conversion daemon, and No to purging data when krb5-kdc package is removed. See also #3.
2) There’s a significant problem in the example krb5.conf posted above that took me ages to figure out. There’s actually an equals sign missing after the default_realm parameter.
3) I also had to set up the database (by running kdb5_util, as well as everything in the Setting up the database section) before starting the KDC and admin server.
4) In Ubuntu, libsasl2-gssapi-mit is no longer available. It’s replaced by libsasl2-modules-gssapi-mit. I executed the following: apt-get install libpam-krb5 libsasl2-dev libsasl2-modules-gssapi-mit libsasl2-modules
5) I was not able to login as a principal I just added, even with the PAM configuration correct (under the Testing section). I had to get LDAP up and running first.

(continued in Part 2)

]]> by: leon li http://www.linux-mag.com/id/4738/#comment-793 Sat, 26 Jan 2008 01:47:45 +0000 http://www.linux-mag.com/id/4738/#comment-793 Actually as I know red hat is doing some project freeipa.org I think will integrate DS and kerberos. also it will support migrate from AD to IPA. Cheers Actually as I know red hat is doing some project

freeipa.org I think will integrate DS and kerberos.

also it will support migrate from AD to IPA.

Cheers

]]> by: jbuurman http://www.linux-mag.com/id/4738/#comment-759 Mon, 14 Jan 2008 07:11:50 +0000 http://www.linux-mag.com/id/4738/#comment-759 One-way syncing of AD is also an issue at my work. Love to read something more about that. One-way syncing of AD is also an issue at my work. Love to read something more about that.

]]> by: James Pothering http://www.linux-mag.com/id/4738/#comment-756 Fri, 11 Jan 2008 01:47:27 +0000 http://www.linux-mag.com/id/4738/#comment-756 this is a very relevant article. this is a very relevant article.

]]> by: racerx http://www.linux-mag.com/id/4738/#comment-754 Wed, 09 Jan 2008 21:18:47 +0000 http://www.linux-mag.com/id/4738/#comment-754 Here again - I would love to see someone do an article on one-way syncing from Active Directory to and ldap server. Here again - I would love to see someone do an article on one-way syncing from Active Directory to and ldap server.

]]>