From 7ef7ec7be88f365ebd0c9da425283375188be2d1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Sep 2012 11:57:38 -0700 Subject: [PATCH] docs: update for modern kerberos libs --- .../Samba3-HOWTO/TOSHARG-DomainMember.xml | 52 +------------------ 1 file changed, 2 insertions(+), 50 deletions(-) diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml b/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml index 53b7d1aedc2..fb81ac0b34d 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml @@ -913,11 +913,7 @@ When manually configuring krb5.conf, the minimal configurat [libdefaults] default_realm = YOUR.KERBEROS.REALM - -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } + dns_lookup_kdc = true [domain_realms] .kerberos.server = YOUR.KERBEROS.REALM @@ -925,13 +921,10 @@ When manually configuring krb5.conf, the minimal configurat -Heimdal -When using Heimdal versions before 0.6, use the following configuration settings: +If you must specify the KDC directly, the minimal configuration is: [libdefaults] default_realm = YOUR.KERBEROS.REALM - default_etypes = des-cbc-crc des-cbc-md5 - default_etypes_des = des-cbc-crc des-cbc-md5 [realms] YOUR.KERBEROS.REALM = { @@ -951,19 +944,6 @@ Test your config by doing a kinit making sure that your password is accepted by the Win2000 KDC. - -Heimdal -ADS -KDC -Windows 2003 -With Heimdal versions earlier than 0.6.x you can use only newly created accounts -in ADS or accounts that have had the password changed once after migration, or -in case of Administrator after installation. At the -moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6 -(and no default etypes in krb5.conf). Unfortunately, this whole area is still -in a state of flux. - - realm uppercase @@ -988,25 +968,6 @@ great while getting initial credentials if the time differen Clock skew limits are configurable in the Kerberos protocols. The default setting is five minutes. - -DNS -KDC -hostname -realm -You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that -this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain -attached) or it can be the NetBIOS name followed by the realm. - - - -/etc/hosts -KDC -realm -The easiest way to ensure you get this right is to add a /etc/hosts entry mapping the IP -address of your KDC to its NetBIOS name. If you do not get this correct, then you will get a local -error when you try to join the realm. - - Kerberos Create the Computer Account @@ -1094,15 +1055,6 @@ name, it may need to be quadrupled to pass through the shell escape and ldap esc USERNAME@REALM. USERNAME must be a user who has rights to add a machine to the domain. - - Unsupported encryption/or checksum types - - /etc/krb5.conf - unsupported encryption - Kerberos - Make sure that the /etc/krb5.conf is correctly configured - for the type and version of Kerberos installed on the system. - -- 2.34.1