Problems using AD as KDC

Christian Palomino zakhrin at freeshell.org
Wed Nov 12 06:08:32 EST 2003 

I've seen some posts that reflects similar problems to what I'm having,  
but didn't find a solution.

We've got a corporate Active Directory, with a root domain used to keep  
some service and security accounts as wel as some server with the  
infrastructure FSMO roles (Schema Master, Domain Naming Master,  
Infrastructure Master,...). On a child domain, we've got the servers,  
computers and users. We are trying to be able to authenticate users and  
services also on our UNIX machines, so we can give some kind of Single  
Sign On for the few users (basically in the IT department) wich use the  
UNIX machines, and specially be able to offer UNIX services to the  
users without having to asked them for a user and password once they  
are loged to the AD.

I've followed both Microsoft and MIT papers, and from a NetBSD box and  
SuSE box I've got the same problem. I can kinit from a user and get a  
ticket from the AD for the user with the same name (or use kinit  
username) and works perfectly. But it seems service and hosts mapping  
doesn't work. I've created an account for my host and for the ksu  
service as explaind in Msft. papers, but I get the following error:
ksu: Server not found in Kerberos database while geting credentials  
from kdc
Authentication failed.

But ksu is in krb5.keytab, imported from AD with ktpass:
idaho.solmelia.corp:/home/chpl000# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ----  
---------------------------------------------------------------------
   1    1   host/idaho.solmelia.corp at SOLMELIA.CORP
   2    1    ksu/idaho.solmelia.corp at SOLMELIA.CORP
ktutil:

OTOH, login.krb5 does work perfectly:
idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
login: chpl000
Password for chpl000:
Last login: Wed Nov 12 11:52:03 on ttyp0
NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003

Welcome to NetBSD!

You have mail.
Disk quotas for user chpl000 (uid 1000): none
idaho.solmelia.corp:~$ klist
Ticket cache: FILE:/tmp/krb5cc_p934
Default principal: chpl000 at SOLMELIA.CORP

Valid starting     Expires            Service principal
11/12/03 11:53:04  11/12/03 21:55:30  krbtgt/SOLMELIA.CORP at SOLMELIA. 
CORP
	renew until 11/13/03 11:53:04


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

Does anyone have a hint on how to solve this issue? I have no clue on  
what to do after searching everywhere...

Thanks and best regards (and sorry for the long post)

-- 
Christian Palomino
mailto::zakhrin at freeshell.org
http://www.palominocassain.com
GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031112/849e6dcd/attachment.bin

More information about the Kerberos mailing list