Centos 7. Получение билета kerberos

Ставим пакеты:

yum install krb5-workstation realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools -y

Настраиваем конфиг /etc/krb5.conf:

includedir /var/lib/sss/pubconf/krb5.include.d/</code>

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]

DOMAIN.LOCAL = {
kdc = dc01.domain.local
kdc = dc02.domain.local
default_domain = domain.local
admin_server = dc01.domain.local
admin_server = dc02.domain.local
kpasswd_server = dc01.domain.local
kpasswd_server = dc02.domain.local
}

[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.local = DOMAIN.LOCAL

Обратите внимание – домен надо ОБЯЗАТЕЛЬНО писать большими буквами.

В конфиге самбы также указываем домен /etc/samba/smb.conf:

[global]
workgroup = domain
password server = dc01.domain.local dc02.domain.local
realm = DOMAIN.LOCAL
security = ads
idmap config * : range = 16777216-33554431
template shell = /sbin/nologin
kerberos method = secrets only
winbind use default domain = false
winbind offline logon = false

Вводим машину в домен:

net ads join -U Administrator@DOMAIN.LOCAL

Затем генерим keytab-файл, для аутентификации без ввода пароля и сохраняем:

#ktutil
ktutil: addent -password -p dns_updater@DOMAIN.LOCAL -k 1 -e rc4-hmac
Password for dns_updater@DOMAIN.LOCAL:.
ktutil: write_kt /usr/local/scripts/cfg/dns_updater.keytab
ktutil: quit

И получаем билет:

kinit -k -t /usr/local/scripts/cfg/dns_updater.keytab dns_updater@DOMAIN.LOCAL

Обсуждение закрыто.