Problems using AD as KDC
Christian Palomino
zakhrin at freeshell.org
Thu Nov 20 03:01:56 EST 2003
Actually, I found a temporary solution woth samba 3, I'm still trying
to solve the issue to be able to use kerberos without samba, but I
still can't.
Regards
El 11/19/03 18:12:49, Neil McFadyen escribió:
> Did you find a solution. I would like to do the same thing for our
> unix NIS
> domain adn windows ad.
>
> Neil
>
> Christian Palomino wrote:
>
> > I've seen some posts that reflects similar problems to what I'm
> having,
> > but didn't find a solution.
> >
> > We've got a corporate Active Directory, with a root domain used to
> keep
> > some service and security accounts as wel as some server with the
> > infrastructure FSMO roles (Schema Master, Domain Naming Master,
> > Infrastructure Master,...). On a child domain, we've got the
> servers,
> > computers and users. We are trying to be able to authenticate users
> and
> > services also on our UNIX machines, so we can give some kind of
> Single
> > Sign On for the few users (basically in the IT department) wich use
> the
> > UNIX machines, and specially be able to offer UNIX services to the
> > users without having to asked them for a user and password once
> they
> > are loged to the AD.
> >
> > I've followed both Microsoft and MIT papers, and from a NetBSD box
> and
> > SuSE box I've got the same problem. I can kinit from a user and get
> a
> > ticket from the AD for the user with the same name (or use kinit
> > username) and works perfectly. But it seems service and hosts
> mapping
> > doesn't work. I've created an account for my host and for the ksu
> > service as explaind in Msft. papers, but I get the following error:
> > ksu: Server not found in Kerberos database while geting credentials
> > from kdc
> > Authentication failed.
> >
> > But ksu is in krb5.keytab, imported from AD with ktpass:
> > idaho.solmelia.corp:/home/chpl000# ktutil
> > ktutil: rkt /etc/krb5.keytab
> > ktutil: list
> > slot KVNO Principal
> > ---- ----
> >
> ---------------------------------------------------------------------
> > 1 1 host/idaho.solmelia.corp at SOLMELIA.CORP
> > 2 1 ksu/idaho.solmelia.corp at SOLMELIA.CORP
> > ktutil:
> >
> > OTOH, login.krb5 does work perfectly:
> > idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
> > login: chpl000
> > Password for chpl000:
> > Last login: Wed Nov 12 11:52:03 on ttyp0
> > NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
> >
> > Welcome to NetBSD!
> >
> > You have mail.
> > Disk quotas for user chpl000 (uid 1000): none
> > idaho.solmelia.corp:~$ klist
> > Ticket cache: FILE:/tmp/krb5cc_p934
> > Default principal: chpl000 at SOLMELIA.CORP
> >
> > Valid starting Expires Service principal
> > 11/12/03 11:53:04 11/12/03 21:55:30 krbtgt/SOLMELIA.
> CORP at SOLMELIA.
> > CORP
> > renew until 11/13/03 11:53:04
> >
> > Kerberos 4 ticket cache: /tmp/tkt1000
> > klist: You have no tickets cached
> >
> > Does anyone have a hint on how to solve this issue? I have no clue
> on
> > what to do after searching everywhere...
> >
> > Thanks and best regards (and sorry for the long post)
> >
> > --
> > Christian Palomino
> > mailto::zakhrin at freeshell.org
> > http://www.palominocassain.com
> > GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
> >
> >
> ------------------------------------------------------------------------
> > Part 1.1.2Type: application/pgp-signature
> >
> >
> ------------------------------------------------------------------------
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Christian Palomino
mailto::zakhrin at freeshell.org
http://www.palominocassain.com
GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031120/4a65f1dc/attachment.bin
More information about the Kerberos
mailing list