Problems using AD as KDC
Christian Palomino
zakhrin at freeshell.org
Wed Nov 12 06:08:32 EST 2003
I've seen some posts that reflects similar problems to what I'm having,
but didn't find a solution.
We've got a corporate Active Directory, with a root domain used to keep
some service and security accounts as wel as some server with the
infrastructure FSMO roles (Schema Master, Domain Naming Master,
Infrastructure Master,...). On a child domain, we've got the servers,
computers and users. We are trying to be able to authenticate users and
services also on our UNIX machines, so we can give some kind of Single
Sign On for the few users (basically in the IT department) wich use the
UNIX machines, and specially be able to offer UNIX services to the
users without having to asked them for a user and password once they
are loged to the AD.
I've followed both Microsoft and MIT papers, and from a NetBSD box and
SuSE box I've got the same problem. I can kinit from a user and get a
ticket from the AD for the user with the same name (or use kinit
username) and works perfectly. But it seems service and hosts mapping
doesn't work. I've created an account for my host and for the ksu
service as explaind in Msft. papers, but I get the following error:
ksu: Server not found in Kerberos database while geting credentials
from kdc
Authentication failed.
But ksu is in krb5.keytab, imported from AD with ktpass:
idaho.solmelia.corp:/home/chpl000# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 host/idaho.solmelia.corp at SOLMELIA.CORP
2 1 ksu/idaho.solmelia.corp at SOLMELIA.CORP
ktutil:
OTOH, login.krb5 does work perfectly:
idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
login: chpl000
Password for chpl000:
Last login: Wed Nov 12 11:52:03 on ttyp0
NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
Welcome to NetBSD!
You have mail.
Disk quotas for user chpl000 (uid 1000): none
idaho.solmelia.corp:~$ klist
Ticket cache: FILE:/tmp/krb5cc_p934
Default principal: chpl000 at SOLMELIA.CORP
Valid starting Expires Service principal
11/12/03 11:53:04 11/12/03 21:55:30 krbtgt/SOLMELIA.CORP at SOLMELIA.
CORP
renew until 11/13/03 11:53:04
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Does anyone have a hint on how to solve this issue? I have no clue on
what to do after searching everywhere...
Thanks and best regards (and sorry for the long post)
--
Christian Palomino
mailto::zakhrin at freeshell.org
http://www.palominocassain.com
GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031112/849e6dcd/attachment.bin
More information about the Kerberos
mailing list