Problems using AD as KDC

Christian Palomino zakhrin at freeshell.org
Thu Nov 20 03:01:56 EST 2003


Actually, I found a temporary solution woth samba 3, I'm still trying  
to solve the issue to be able to use kerberos without samba, but I  
still can't.

Regards

El 11/19/03 18:12:49, Neil McFadyen escribió:
> Did you find a solution.  I would like to do the same thing for our
> unix NIS
> domain adn windows ad.
> 
> Neil
> 
> Christian Palomino wrote:
> 
> > I've seen some posts that reflects similar problems to what I'm
> having,
> > but didn't find a solution.
> >
> > We've got a corporate Active Directory, with a root domain used to
> keep
> > some service and security accounts as wel as some server with the
> > infrastructure FSMO roles (Schema Master, Domain Naming Master,
> > Infrastructure Master,...). On a child domain, we've got the
> servers,
> > computers and users. We are trying to be able to authenticate users
> and
> > services also on our UNIX machines, so we can give some kind of
> Single
> > Sign On for the few users (basically in the IT department) wich use
> the
> > UNIX machines, and specially be able to offer UNIX services to the
> > users without having to asked them for a user and password once  
> they
> > are loged to the AD.
> >
> > I've followed both Microsoft and MIT papers, and from a NetBSD box
> and
> > SuSE box I've got the same problem. I can kinit from a user and get
> a
> > ticket from the AD for the user with the same name (or use kinit
> > username) and works perfectly. But it seems service and hosts
> mapping
> > doesn't work. I've created an account for my host and for the ksu
> > service as explaind in Msft. papers, but I get the following error:
> > ksu: Server not found in Kerberos database while geting credentials
> > from kdc
> > Authentication failed.
> >
> > But ksu is in krb5.keytab, imported from AD with ktpass:
> > idaho.solmelia.corp:/home/chpl000# ktutil
> > ktutil:  rkt /etc/krb5.keytab
> > ktutil:  list
> > slot KVNO Principal
> > ---- ----
> >  
> ---------------------------------------------------------------------
> >    1    1   host/idaho.solmelia.corp at SOLMELIA.CORP
> >    2    1    ksu/idaho.solmelia.corp at SOLMELIA.CORP
> > ktutil:
> >
> > OTOH, login.krb5 does work perfectly:
> > idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
> > login: chpl000
> > Password for chpl000:
> > Last login: Wed Nov 12 11:52:03 on ttyp0
> > NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
> >
> > Welcome to NetBSD!
> >
> > You have mail.
> > Disk quotas for user chpl000 (uid 1000): none
> > idaho.solmelia.corp:~$ klist
> > Ticket cache: FILE:/tmp/krb5cc_p934
> > Default principal: chpl000 at SOLMELIA.CORP
> >
> > Valid starting     Expires            Service principal
> > 11/12/03 11:53:04  11/12/03 21:55:30  krbtgt/SOLMELIA. 
> CORP at SOLMELIA.
> > CORP
> >         renew until 11/13/03 11:53:04
> >
> > Kerberos 4 ticket cache: /tmp/tkt1000
> > klist: You have no tickets cached
> >
> > Does anyone have a hint on how to solve this issue? I have no clue
> on
> > what to do after searching everywhere...
> >
> > Thanks and best regards (and sorry for the long post)
> >
> > --
> > Christian Palomino
> > mailto::zakhrin at freeshell.org
> > http://www.palominocassain.com
> > GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
> >
> >    
> ------------------------------------------------------------------------
> >    Part 1.1.2Type: application/pgp-signature
> >
> >    
> ------------------------------------------------------------------------
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
>

-- 
Christian Palomino
mailto::zakhrin at freeshell.org
http://www.palominocassain.com
GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031120/4a65f1dc/attachment.bin


More information about the Kerberos mailing list