SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Considering that Slackware includes Samba 4.x series (for a good while now), which, at least in AD domain mode, makes use of Kerberos, which in turn needs krb5 to be managed - would there be any chance of the krb5 package making its way into Slackware?
I confess to knowing very little about Kerberos and where does it fit into the scheme of things - but I am in the middle of trying to configure Samba as an Active Directory Domain Controller on Slackware. Samba appears to be using Kerberos in this operating mode, and the krb5 package provides some Kerberos management tools - such as klist, kpasswd etc. Or maybe Samba can be configured as an AD DC without Kerberos?
From what I understand and actually use samba with windows domains, samba developers seem to have suggested to use the internal kerberos implementation that comes with the samba source for domain functionality. That is heimdal and I repeat that a (patched iirc) version is included in the samba source.
From here http://mirrors.slackware.com/slackwa...mba.SlackBuild and here http://mirrors.slackware.com/slackwa...mba.SlackBuild we can see the comment about heimdal. The comment seems to be old, at least for samba 4.4.13, heimdal is enabled by default when compiling samba.
So, for kerberos we have the following options
internal heimdal implementation. I use this for windows domains. There is the comment there that the builtin heimdal gives errors, but I haven't found any errors so far using samba with windows domains. I have been using samba like this with slackware releases 14.0, 14.1 and 14.2. By default, provisioning a domain works fine and samba and windows servers can join the domain and work fine. Generally, the official documentation about domain functionality from samba.org can be followed with minor changes and work as expected. For example, I can provision a domain and it will work fine following this https://wiki.samba.org/index.php/Set...ain_Controller The main drawback is that you will not have the utilities klist, kinit available on the domain controller itself. If it's a standalone server that is used only for providing domain services this is not a big problem. Other unix servers can use mit krb5 for accessing kerberos services on the DC, but for full domain join they would need samba with internal heimdal.
mit krb5. samba's internal heimdal uses a different database format for some things and mit krb5 compatibility was an ongoing task, but I haven't check very recently. To test this, use the krb5.SlackBuild from slackbuilds.org and then rebuilt samba, I think it will pick up krb5 automatically. Be sure to check the compatibility status. When I tried it (with slackware 14.0), the domain seemed worked initially, but it had strange problems, which I can't now recall.
another, third option would be using the standalone heimdal from the original heimdal kerberos source code, but I haven't found anything on the subject anywhere. I don't know if and how patched are the internal samba heimdal sources. But this would be a more complete solution, since it would have the missing kerberos tools (kinit, klist, etc)
Last edited by ninikos; 04-23-2017 at 02:17 PM.
Reason: Corrected wrong information
Thank you kindly @ninikos for the detailed reply. Now I am slightly more confused than before because:
1. I have a (Slack) stock Samba 4.5.0 on a Slackware64 -current.
2. I have managed to provision an AD domain and turn it into a domain controller.
3. As per Samba.org instructions, I have linked the default generated /var/lib/samba/private/krb5.conf to /etc/krb5.conf
4. I have joined Windows 10 Pro machines to the domain without any errors.
5. I ran the tests from Samba website to test that the domain is working correctly, and they all worked out fine so far.
I only hit the need to install krb5 from SBo when some of the more detailed tests from Samba.org make the use of Kerberos utilities (e.g. klist). Frankly, the installation of krb5 from SBo has been painless and it doesn't have any dependencies - so I can't complain.
But now, reading your post above, I can't figure out how did I manage to configure Samba as an AD DC, if it's supposed to have Kerberos support disabled in Slackware? I didn't touch or recompile Samba in anyway, and only installed the krb5 package after the AD DC was configured and working fine.
My personal experience is that there are errors coming up in the logs after I provision the domain. Check /var/log/samba directory for logs. I assume you start samba as root after provisioning by simply running 'samba' on the command line. I upgraded official samba recenlty (there was an update) on a test machine, and without the internal heimdal I got these in the logs on the DC
wb-DOMAIN.log
../source3/winbindd/winbindd_dual.c:107(child_write_response)
Could not write result
smdb.log
Unable to convert first SID (S-.. ) in a user token to a UID
Also be sure to check windows logs and test if it will work after some days. At least that's my personal experience. I got strange problems, like win 7 clients loosing the domain. Logins still would work, but there are logon caches involved and problems may show up later, usually there are strange logs involving kerberos. Be sure to check the windows server logs after using the DC for some days. Also you should test to see if the windows rsat (or equivalent) tools work as they should. This was another error I got without having any kerberos at all. Since I assume you need it for windows, check group policy editor, domain users and groups and import the default group policy templates, create one based on one of them and apply it to a group. Then check the window machines' registries after joining the domain to see if the settings propagate correctly. Check for any warnings or errors in the logs during a full reboot cycle. Check all these again for some days.
the integrated LDAP server as AD back end. For details, see the frequently asked question (FAQ) Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End?
the Heimdal Kerberos key distribution center (KDC). The AD-compatible Heimdal KDC is included in Samba and automatically installed.
Another gotcha that I use and forgot to mention is ntp. For kerberos to work properly, the clocks need to be synchronized. By default windows will try to use the dc for the clock source when they join the domain. If you want to use the dc as the ntp server you need to follow this https://wiki.samba.org/index.php/Time_Synchronisation
What needs to be done for slackware is to recompile the ntp package with this configuration option added --enable-ntp-signd in the ntp.SlackBuild.
after installing the krb5 package (to gain the klist, kinit etc. utilities) - but with the stock Samba - and all the tests run fine. That seems to suggest that the stock Samba in Slackware includes Kerberos support, I guess.
Sorry for the delayed response, you are right, internal heimdal is enabled by default. I compiled the vanilla SlackBuild and I saw it in the compiler output. This was a habit that I picked up back from 14.0. It is no longer needed. ntpd with sign rebuilt with is still needed for serving time to windows servers.
I checked on test network as well as on some production servers. The domains seem to work, existing members work, I can join the domain and I can provision new ones with the default samba as it is installed on slackware 14.2.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.