Problems using AD as KDC
Neil McFadyen
nmcfadye at mae.carleton.ca
Wed Nov 19 12:12:49 EST 2003
Did you find a solution. I would like to do the same thing for our unix NIS
domain adn windows ad.
Neil
Christian Palomino wrote:
> I've seen some posts that reflects similar problems to what I'm having,
> but didn't find a solution.
>
> We've got a corporate Active Directory, with a root domain used to keep
> some service and security accounts as wel as some server with the
> infrastructure FSMO roles (Schema Master, Domain Naming Master,
> Infrastructure Master,...). On a child domain, we've got the servers,
> computers and users. We are trying to be able to authenticate users and
> services also on our UNIX machines, so we can give some kind of Single
> Sign On for the few users (basically in the IT department) wich use the
> UNIX machines, and specially be able to offer UNIX services to the
> users without having to asked them for a user and password once they
> are loged to the AD.
>
> I've followed both Microsoft and MIT papers, and from a NetBSD box and
> SuSE box I've got the same problem. I can kinit from a user and get a
> ticket from the AD for the user with the same name (or use kinit
> username) and works perfectly. But it seems service and hosts mapping
> doesn't work. I've created an account for my host and for the ksu
> service as explaind in Msft. papers, but I get the following error:
> ksu: Server not found in Kerberos database while geting credentials
> from kdc
> Authentication failed.
>
> But ksu is in krb5.keytab, imported from AD with ktpass:
> idaho.solmelia.corp:/home/chpl000# ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 host/idaho.solmelia.corp at SOLMELIA.CORP
> 2 1 ksu/idaho.solmelia.corp at SOLMELIA.CORP
> ktutil:
>
> OTOH, login.krb5 does work perfectly:
> idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
> login: chpl000
> Password for chpl000:
> Last login: Wed Nov 12 11:52:03 on ttyp0
> NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
>
> Welcome to NetBSD!
>
> You have mail.
> Disk quotas for user chpl000 (uid 1000): none
> idaho.solmelia.corp:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_p934
> Default principal: chpl000 at SOLMELIA.CORP
>
> Valid starting Expires Service principal
> 11/12/03 11:53:04 11/12/03 21:55:30 krbtgt/SOLMELIA.CORP at SOLMELIA.
> CORP
> renew until 11/13/03 11:53:04
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> Does anyone have a hint on how to solve this issue? I have no clue on
> what to do after searching everywhere...
>
> Thanks and best regards (and sorry for the long post)
>
> --
> Christian Palomino
> mailto::zakhrin at freeshell.org
> http://www.palominocassain.com
> GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
>
> ------------------------------------------------------------------------
> Part 1.1.2Type: application/pgp-signature
>
> ------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list