SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Considering that Slackware includes Samba 4.x series (for a good while now), which, at least in AD domain mode, makes use of Kerberos, which in turn needs krb5 to be managed - would there be any chance of the krb5 package making its way into Slackware?
I confess to knowing very little about Kerberos and where does it fit into the scheme of things - but I am in the middle of trying to configure Samba as an Active Directory Domain Controller on Slackware. Samba appears to be using Kerberos in this operating mode, and the krb5 package provides some Kerberos management tools - such as klist, kpasswd etc. Or maybe Samba can be configured as an AD DC without Kerberos?
From what I understand and actually use samba with windows domains, samba developers seem to have suggested to use the internal kerberos implementation that comes with the samba source for domain functionality. That is heimdal and I repeat that a (patched iirc) version is included in the samba source.
From here http://mirrors.slackware.com/slackwa...mba.SlackBuild and here http://mirrors.slackware.com/slackwa...mba.SlackBuild we can see that the included heimdal implementation is disabled. That means that the domain services that rely on kerberos will not work out of the box. You need to rebuild samba with kerberos support to use samba with kerberos.
That is going to be one of the following options
internal heimdal implementation. I use this for windows domains. I rebuilt using the original samba.SlackBuild after I enable the --builtin-libraries=heimdal. There is a comment there that the builtin heimdal gives errors, but I haven't found any errors so far using samba with windows domains. On the contrary, I have problems joining a domain as well as provisioning the domain without it. I have been using samba like this with slackware releases 14.0, 14.1 and 14.2. After enabling the "--builtin-libraries=heimdal" provisioning a domain works fine and samba and windows servers can join the domain and work fine. Generally, after enabling this switch the official documentation about domain functionality from samba.org can be followed with minor changes and work as expected. For example, I can provision a domain and it will work fine following this https://wiki.samba.org/index.php/Set...ain_Controller The main drawback is that you will not have the utilities klist, kinit available on the domain controller itself. If it's a standalone server that is used only for providing domain services this is not a big problem. Other unix servers can use mit krb5 for accessing kerberos services on the DC, but for full domain join they would need samba with internal heimdal.
mit krb5. samba's internal heimdal uses a different database format for some things and mit krb5 compatibility was an ongoing task, but I haven't check very recently. To test this, use the krb5.SlackBuild from slackbuilds.org and then rebuilt samba, I think it will pick up krb5 automatically. Be sure to check the compatibility status. When I tried it (with slackware 14.0), the domain seemed worked initially, but it had strange problems, which I can't now recall.
another, third option would be using the standalone heimdal from the original heimdal kerberos source code, but I haven't found anything on the subject anywhere. I don't know if and how patched are the internal samba heimdal sources. But this would be a more complete solution, since it would have the missing kerberos tools (kinit, klist, etc)
Last edited by ninikos; 04-19-2017 at 08:44 AM.
Reason: Adittional comments
Thank you kindly @ninikos for the detailed reply. Now I am slightly more confused than before because:
1. I have a (Slack) stock Samba 4.5.0 on a Slackware64 -current.
2. I have managed to provision an AD domain and turn it into a domain controller.
3. As per Samba.org instructions, I have linked the default generated /var/lib/samba/private/krb5.conf to /etc/krb5.conf
4. I have joined Windows 10 Pro machines to the domain without any errors.
5. I ran the tests from Samba website to test that the domain is working correctly, and they all worked out fine so far.
I only hit the need to install krb5 from SBo when some of the more detailed tests from Samba.org make the use of Kerberos utilities (e.g. klist). Frankly, the installation of krb5 from SBo has been painless and it doesn't have any dependencies - so I can't complain.
But now, reading your post above, I can't figure out how did I manage to configure Samba as an AD DC, if it's supposed to have Kerberos support disabled in Slackware? I didn't touch or recompile Samba in anyway, and only installed the krb5 package after the AD DC was configured and working fine.
My personal experience is that there are errors coming up in the logs after I provision the domain. Check /var/log/samba directory for logs. I assume you start samba as root after provisioning by simply running 'samba' on the command line. I upgraded official samba recenlty (there was an update) on a test machine, and without the internal heimdal I got these in the logs on the DC
Could not write result
Unable to convert first SID (S-.. ) in a user token to a UID
Also be sure to check windows logs and test if it will work after some days. At least that's my personal experience. I got strange problems, like win 7 clients loosing the domain. Logins still would work, but there are logon caches involved and problems may show up later, usually there are strange logs involving kerberos. Be sure to check the windows server logs after using the DC for some days. Also you should test to see if the windows rsat (or equivalent) tools work as they should. This was another error I got without having any kerberos at all. Since I assume you need it for windows, check group policy editor, domain users and groups and import the default group policy templates, create one based on one of them and apply it to a group. Then check the window machines' registries after joining the domain to see if the settings propagate correctly. Check for any warnings or errors in the logs during a full reboot cycle. Check all these again for some days.
the integrated LDAP server as AD back end. For details, see the frequently asked question (FAQ) Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End?
the Heimdal Kerberos key distribution center (KDC). The AD-compatible Heimdal KDC is included in Samba and automatically installed.
Another gotcha that I use and forgot to mention is ntp. For kerberos to work properly, the clocks need to be synchronized. By default windows will try to use the dc for the clock source when they join the domain. If you want to use the dc as the ntp server you need to follow this https://wiki.samba.org/index.php/Time_Synchronisation
What needs to be done for slackware is to recompile the ntp package with this configuration option added --enable-ntp-signd in the ntp.SlackBuild.
after installing the krb5 package (to gain the klist, kinit etc. utilities) - but with the stock Samba - and all the tests run fine. That seems to suggest that the stock Samba in Slackware includes Kerberos support, I guess.