Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
On a DC (In an windows AD domain), I have used the setspn command to create two new HTTP SPNs for a linux box.
The linux box is a RHEL 5.5 one.
It has been joined to the domain via configuring the smb.conf and then I had generated a new krb5.keytab after configuring kerberos.
You can login to the server with an AD account (though I did have to set up the account locally for it to work. That way, when you enter the AD credentials you then get passed to the local account settings - is that right...or should it just work? - other users trying to access the box are recognised but are offered the option of creating a home drive and then their account is "locked out" from the local Linux box, unless you add them locally)
The server is a web server and uses an application - specific httpd and httpd.conf.
users on the AD domain are authenticating ok via IE to the linux box a fair amount of the time, but they get authentication issues at intermittent times. The most common issue is with authenication during login, and then very occasionally when trying to click on a link on the site when they have been logged in successfully and browsing for some time...
after using wireshark, I deduced that every time a user logs in from an XP machine via IE, the linux box sees this and acknowledges them then immediately grants them access...or sees them but then takes about 3 minutes apparently doing nothing (can't see anything useful in the logs) and then throws a message back to the user telling them their authentication failed despite the fact that the password was correct...
As part of my troubleshooting process, I had noticed that the krb5.keytab was missing some expected SPNs. I have re-generated the keytab with the net ads http keytab add command and some of them appeared...however, the server has been set up in DNS to forward to an alias and there are no SPNs for that alias...
I was trying to experiment and see what would happen if I set up some http SPNs for the alias incase the authentication issues were something to do with that...
...I set up the relevant SPNs on the relevant DC and when you do setspn -L server name you can see that they now appear.
...however, when you re-generate the keytab via the net ads http keytab add on the Linux box, the new SPNs still don't appear (i've waited about an hour incase it was replication)...
Could anyone advise? If that doesn't make sense, please fire away with questions and i'll try to explain further!
Also, if anyone could assist with the rest of my trouble-shooting (as to why there is such dodgy authentication) that would be an added bonus!
Things i've checked:
NTP settings - all ok.
when you do a kinit "username" it is fine, but when you do kinit -k -t /etc/krb5.keytab it comes up with:
kinit(v5): client not found in kerberos database while getting initial credentials