LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-19-2017, 05:09 AM   #1
xj25vm
Member
 
Registered: Jun 2008
Posts: 331

Rep: Reputation: 31
krb5 in mainline Slackware?


Considering that Slackware includes Samba 4.x series (for a good while now), which, at least in AD domain mode, makes use of Kerberos, which in turn needs krb5 to be managed - would there be any chance of the krb5 package making its way into Slackware?

P.S. yes, I know it is available at SBo
 
Old 04-19-2017, 05:21 AM   #2
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 3,788

Rep: Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855Reputation: 1855
I have no idea if something has changed but I remember this post...
 
Old 04-19-2017, 05:46 AM   #3
xj25vm
Member
 
Registered: Jun 2008
Posts: 331

Original Poster
Rep: Reputation: 31
I confess to knowing very little about Kerberos and where does it fit into the scheme of things - but I am in the middle of trying to configure Samba as an Active Directory Domain Controller on Slackware. Samba appears to be using Kerberos in this operating mode, and the krb5 package provides some Kerberos management tools - such as klist, kpasswd etc. Or maybe Samba can be configured as an AD DC without Kerberos?
 
Old 04-19-2017, 08:18 AM   #4
ninikos
LQ Newbie
 
Registered: Dec 2012
Posts: 28

Rep: Reputation: Disabled
From what I understand and actually use samba with windows domains, samba developers seem to have suggested to use the internal kerberos implementation that comes with the samba source for domain functionality. That is heimdal and I repeat that a (patched iirc) version is included in the samba source.
From here http://mirrors.slackware.com/slackwa...mba.SlackBuild and here http://mirrors.slackware.com/slackwa...mba.SlackBuild we can see the comment about heimdal. The comment seems to be old, at least for samba 4.4.13, heimdal is enabled by default when compiling samba.
So, for kerberos we have the following options
  • internal heimdal implementation. I use this for windows domains. There is the comment there that the builtin heimdal gives errors, but I haven't found any errors so far using samba with windows domains. I have been using samba like this with slackware releases 14.0, 14.1 and 14.2. By default, provisioning a domain works fine and samba and windows servers can join the domain and work fine. Generally, the official documentation about domain functionality from samba.org can be followed with minor changes and work as expected. For example, I can provision a domain and it will work fine following this https://wiki.samba.org/index.php/Set...ain_Controller The main drawback is that you will not have the utilities klist, kinit available on the domain controller itself. If it's a standalone server that is used only for providing domain services this is not a big problem. Other unix servers can use mit krb5 for accessing kerberos services on the DC, but for full domain join they would need samba with internal heimdal.
  • mit krb5. samba's internal heimdal uses a different database format for some things and mit krb5 compatibility was an ongoing task, but I haven't check very recently. To test this, use the krb5.SlackBuild from slackbuilds.org and then rebuilt samba, I think it will pick up krb5 automatically. Be sure to check the compatibility status. When I tried it (with slackware 14.0), the domain seemed worked initially, but it had strange problems, which I can't now recall.
  • another, third option would be using the standalone heimdal from the original heimdal kerberos source code, but I haven't found anything on the subject anywhere. I don't know if and how patched are the internal samba heimdal sources. But this would be a more complete solution, since it would have the missing kerberos tools (kinit, klist, etc)

Last edited by ninikos; 04-23-2017 at 02:17 PM. Reason: Corrected wrong information
 
1 members found this post helpful.
Old 04-19-2017, 08:51 AM   #5
xj25vm
Member
 
Registered: Jun 2008
Posts: 331

Original Poster
Rep: Reputation: 31
Thank you kindly @ninikos for the detailed reply. Now I am slightly more confused than before because:

1. I have a (Slack) stock Samba 4.5.0 on a Slackware64 -current.
2. I have managed to provision an AD domain and turn it into a domain controller.
3. As per Samba.org instructions, I have linked the default generated /var/lib/samba/private/krb5.conf to /etc/krb5.conf
4. I have joined Windows 10 Pro machines to the domain without any errors.
5. I ran the tests from Samba website to test that the domain is working correctly, and they all worked out fine so far.

I only hit the need to install krb5 from SBo when some of the more detailed tests from Samba.org make the use of Kerberos utilities (e.g. klist). Frankly, the installation of krb5 from SBo has been painless and it doesn't have any dependencies - so I can't complain.

But now, reading your post above, I can't figure out how did I manage to configure Samba as an AD DC, if it's supposed to have Kerberos support disabled in Slackware? I didn't touch or recompile Samba in anyway, and only installed the krb5 package after the AD DC was configured and working fine.

Last edited by xj25vm; 04-19-2017 at 08:52 AM.
 
Old 04-19-2017, 09:37 AM   #6
ninikos
LQ Newbie
 
Registered: Dec 2012
Posts: 28

Rep: Reputation: Disabled
My personal experience is that there are errors coming up in the logs after I provision the domain. Check /var/log/samba directory for logs. I assume you start samba as root after provisioning by simply running 'samba' on the command line. I upgraded official samba recenlty (there was an update) on a test machine, and without the internal heimdal I got these in the logs on the DC
wb-DOMAIN.log
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
smdb.log
Unable to convert first SID (S-.. ) in a user token to a UID

Also be sure to check windows logs and test if it will work after some days. At least that's my personal experience. I got strange problems, like win 7 clients loosing the domain. Logins still would work, but there are logon caches involved and problems may show up later, usually there are strange logs involving kerberos. Be sure to check the windows server logs after using the DC for some days. Also you should test to see if the windows rsat (or equivalent) tools work as they should. This was another error I got without having any kerberos at all. Since I assume you need it for windows, check group policy editor, domain users and groups and import the default group policy templates, create one based on one of them and apply it to a group. Then check the window machines' registries after joining the domain to see if the settings propagate correctly. Check for any warnings or errors in the logs during a full reboot cycle. Check all these again for some days.

For more information about mit krb5, see this https://wiki.samba.org/index.php/Samba4/MIT_KDC and this https://wiki.samba.org/index.php/MIT_Build Another interesting take on all this is this https://github.com/heimdal/heimdal/issues/244

Also from here https://wiki.samba.org/index.php/Set...ain_Controller
Samba as an AD DC only supports:

the integrated LDAP server as AD back end. For details, see the frequently asked question (FAQ) Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End?
the Heimdal Kerberos key distribution center (KDC). The AD-compatible Heimdal KDC is included in Samba and automatically installed.
 
2 members found this post helpful.
Old 04-19-2017, 10:53 AM   #7
ninikos
LQ Newbie
 
Registered: Dec 2012
Posts: 28

Rep: Reputation: Disabled
Another gotcha that I use and forgot to mention is ntp. For kerberos to work properly, the clocks need to be synchronized. By default windows will try to use the dc for the clock source when they join the domain. If you want to use the dc as the ntp server you need to follow this https://wiki.samba.org/index.php/Time_Synchronisation

What needs to be done for slackware is to recompile the ntp package with this configuration option added --enable-ntp-signd in the ntp.SlackBuild.
 
1 members found this post helpful.
Old 04-19-2017, 11:32 AM   #8
xj25vm
Member
 
Registered: Jun 2008
Posts: 331

Original Poster
Rep: Reputation: 31
Well, looking at the samba.Slackbuild in -current, the only reference to Heimdal/Kerberos I can find is (which is commented out, in any case):

Code:
</snip>

  # Gives errors:
  #--builtin-libraries=replace,ccan \
  #--bundled-libraries=heimdal \
To me, it isn't clear if that means Heimdal is disabled in Samba in Slackware or not? I have run the Kerberos tests detailed here:

https://wiki.samba.org/index.php/Set...fying_Kerberos

after installing the krb5 package (to gain the klist, kinit etc. utilities) - but with the stock Samba - and all the tests run fine. That seems to suggest that the stock Samba in Slackware includes Kerberos support, I guess.
 
Old 04-23-2017, 02:09 PM   #9
ninikos
LQ Newbie
 
Registered: Dec 2012
Posts: 28

Rep: Reputation: Disabled
Sorry for the delayed response, you are right, internal heimdal is enabled by default. I compiled the vanilla SlackBuild and I saw it in the compiler output. This was a habit that I picked up back from 14.0. It is no longer needed. ntpd with sign rebuilt with is still needed for serving time to windows servers.

I checked on test network as well as on some production servers. The domains seem to work, existing members work, I can join the domain and I can provision new ones with the default samba as it is installed on slackware 14.2.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Xen Enters Mainline Kernel LXer Syndicated Linux News 0 06-20-2011 11:40 AM
Using Linux-Libre kernel alongside mainline corbis_demon Linux From Scratch 5 09-23-2010 01:34 PM
Kernel on the mainline???? linuxunix Linux - Newbie 4 08-16-2010 03:26 AM
LXer: Multi-Pointer X Going Mainline LXer Syndicated Linux News 0 05-09-2008 08:11 PM
Krb5 in slackware jazzor Slackware 1 02-27-2008 11:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration