Hello - I am having an issue getting my Administrator Account authenticated to login to the web interface in Univention 5. It seems to be related to Samba 4, and I am working through a fix here: Problem: Kinit unable to reach any KDC in realm
On this command, I am able to see the host ip address, but it has a port added (88). I am not sure if this might be the problem, or if it is something added by UCS in 5.0. Any help appreciated! I am unable to use the administrator account anywhere, and had some issues with samba 4 in the upgrade process.
root@ucs-bdc:~# cat /etc/krb5.conf
Warning: This file is auto-generated and might be overwritten by
univention-config-registry.
Please edit the following file(s) instead:
Warnung: Diese Datei wurde automatisch generiert und kann durch
univention-config-registry ueberschrieben werden.
Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
/etc/univention/templates/files/etc/krb5.conf
[libdefaults]
default_realm = REALDOMAIN.COM
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour -hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
allow_weak_crypto=true
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
proxiable = true
kdc_timesync = 1
debug = false
#
# The following libdefaults are for clients using the MIT Kerberos libra ry
#
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arc four-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 a rcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 a rcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
ignore_acceptor_hostname = true
rdns = false
[realms]
REALDOMAIN = {
acl_file = /var/lib/heimdal-kdc/kadmind.acl
}
REALDOMAIN = {
kdc = 127.0.0.1:88
admin_server = 127.0.0.1:88
default_domain = REALDOMAIN.com
}
[kdc]
hdb-ldap-create-base = cn=kerberos,dc=REALDOMAIN,dc=com
v4-realm = REALDOMAIN.COM
[kadmin]
v4-realm = REALDOMAIN
database = {
label = {
acl_file = /var/lib/heimdal-kdc/kadmind.acl
dbname = ldap:dc=REALDOMAIN,dc=com
realm = REALDOMAIN
log_file = /var/log/heimdal-database.log
mkey_file = /var/heimdal/m-key
}
}
root@ucs-bdc:~#
I also get this error univention-s4search:
root@ucs-bdc:~# univention-s4search --cross-ncs cn=‘Domain Admins’ objectSid
Failed to inquire of target’s available sasl mechs in rootdse search: NT_STATUS_IO_TIMEOUT
Failed to bind - LDAP client internal error: NT_STATUS_IO_TIMEOUT
Failed to connect to ‘ldaps://ucs-bdc.realdomain.com’ with backend ‘ldaps’: LDAP client internal error: NT_STATUS_IO_TIMEOUT
Failed to connect to ldaps://ucs-bdc.realdomain.com - LDAP client internal error: NT_STATUS_IO_TIMEOUT