Problems using AD as KDC

shane.stakem@managestar.com shane.stakem at managestar.com
Thu Nov 20 20:49:12 EST 2003


This doc will make this all possible. Its actually easier than you might
think

http://www.securityfocus.com/infocus/1563

-----Original Message-----
From: Neil McFadyen [mailto:nmcfadye at mae.carleton.ca] 
Sent: Wednesday, November 19, 2003 9:13 AM
To: kerberos at MIT.EDU
Subject: Re: Problems using AD as KDC


Did you find a solution.  I would like to do the same thing for our unix
NIS domain adn windows ad.

Neil

Christian Palomino wrote:

> I've seen some posts that reflects similar problems to what I'm 
> having, but didn't find a solution.
>
> We've got a corporate Active Directory, with a root domain used to 
> keep some service and security accounts as wel as some server with the

> infrastructure FSMO roles (Schema Master, Domain Naming Master, 
> Infrastructure Master,...). On a child domain, we've got the servers, 
> computers and users. We are trying to be able to authenticate users 
> and services also on our UNIX machines, so we can give some kind of 
> Single Sign On for the few users (basically in the IT department) wich

> use the UNIX machines, and specially be able to offer UNIX services to

> the users without having to asked them for a user and password once 
> they are loged to the AD.
>
> I've followed both Microsoft and MIT papers, and from a NetBSD box and

> SuSE box I've got the same problem. I can kinit from a user and get a 
> ticket from the AD for the user with the same name (or use kinit
> username) and works perfectly. But it seems service and hosts mapping 
> doesn't work. I've created an account for my host and for the ksu 
> service as explaind in Msft. papers, but I get the following error:
> ksu: Server not found in Kerberos database while geting credentials 
> from kdc Authentication failed.
>
> But ksu is in krb5.keytab, imported from AD with ktpass: 
> idaho.solmelia.corp:/home/chpl000# ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    1   host/idaho.solmelia.corp at SOLMELIA.CORP
>    2    1    ksu/idaho.solmelia.corp at SOLMELIA.CORP
> ktutil:
>
> OTOH, login.krb5 does work perfectly:
> idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5
> login: chpl000
> Password for chpl000:
> Last login: Wed Nov 12 11:52:03 on ttyp0
> NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
>
> Welcome to NetBSD!
>
> You have mail.
> Disk quotas for user chpl000 (uid 1000): none idaho.solmelia.corp:~$ 
> klist Ticket cache: FILE:/tmp/krb5cc_p934
> Default principal: chpl000 at SOLMELIA.CORP
>
> Valid starting     Expires            Service principal
> 11/12/03 11:53:04  11/12/03 21:55:30  krbtgt/SOLMELIA.CORP at SOLMELIA. 
> CORP
>         renew until 11/13/03 11:53:04
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> Does anyone have a hint on how to solve this issue? I have no clue on 
> what to do after searching everywhere...
>
> Thanks and best regards (and sorry for the long post)
>
> --
> Christian Palomino
> mailto::zakhrin at freeshell.org
> http://www.palominocassain.com
> GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
>
>
------------------------------------------------------------------------
>    Part 1.1.2Type: application/pgp-signature
>
>   
>
------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list