Problems using AD as KDC
shane.stakem@managestar.com
shane.stakem at managestar.com
Thu Nov 20 20:49:12 EST 2003
This doc will make this all possible. Its actually easier than you might
think
http://www.securityfocus.com/infocus/1563
-----Original Message-----
From: Neil McFadyen [mailto:nmcfadye at mae.carleton.ca]
Sent: Wednesday, November 19, 2003 9:13 AM
To: kerberos at MIT.EDU
Subject: Re: Problems using AD as KDC
Did you find a solution. I would like to do the same thing for our unix
NIS domain adn windows ad.
Neil
Christian Palomino wrote:
> I've seen some posts that reflects similar problems to what I'm
> having, but didn't find a solution.
>
> We've got a corporate Active Directory, with a root domain used to
> keep some service and security accounts as wel as some server with the
> infrastructure FSMO roles (Schema Master, Domain Naming Master,
> Infrastructure Master,...). On a child domain, we've got the servers,
> computers and users. We are trying to be able to authenticate users
> and services also on our UNIX machines, so we can give some kind of
> Single Sign On for the few users (basically in the IT department) wich
> use the UNIX machines, and specially be able to offer UNIX services to
> the users without having to asked them for a user and password once
> they are loged to the AD.
>
> I've followed both Microsoft and MIT papers, and from a NetBSD box and
> SuSE box I've got the same problem. I can kinit from a user and get a
> ticket from the AD for the user with the same name (or use kinit
> username) and works perfectly. But it seems service and hosts mapping
> doesn't work. I've created an account for my host and for the ksu
> service as explaind in Msft. papers, but I get the following error:
> ksu: Server not found in Kerberos database while geting credentials
> from kdc Authentication failed.
>
> But ksu is in krb5.keytab, imported from AD with ktpass:
> idaho.solmelia.corp:/home/chpl000# ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 host/idaho.solmelia.corp at SOLMELIA.CORP
> 2 1 ksu/idaho.solmelia.corp at SOLMELIA.CORP
> ktutil:
>
> OTOH, login.krb5 does work perfectly:
> idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
> login: chpl000
> Password for chpl000:
> Last login: Wed Nov 12 11:52:03 on ttyp0
> NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
>
> Welcome to NetBSD!
>
> You have mail.
> Disk quotas for user chpl000 (uid 1000): none idaho.solmelia.corp:~$
> klist Ticket cache: FILE:/tmp/krb5cc_p934
> Default principal: chpl000 at SOLMELIA.CORP
>
> Valid starting Expires Service principal
> 11/12/03 11:53:04 11/12/03 21:55:30 krbtgt/SOLMELIA.CORP at SOLMELIA.
> CORP
> renew until 11/13/03 11:53:04
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> Does anyone have a hint on how to solve this issue? I have no clue on
> what to do after searching everywhere...
>
> Thanks and best regards (and sorry for the long post)
>
> --
> Christian Palomino
> mailto::zakhrin at freeshell.org
> http://www.palominocassain.com
> GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
>
>
------------------------------------------------------------------------
> Part 1.1.2Type: application/pgp-signature
>
>
>
------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list