Help on Unix kerberos client->win2k3 kerberos KDC

MINGHAO WANG, BLOOMBERG/ 499 PARK MWANG12 at bloomberg.net
Fri Oct 31 18:07:07 EST 2003


Hello,

I am a newbie to kerberos authentication, and what I am trying to do is to use a
 Unix ldap client  authenticate to the win2k3 
server, and add a user to it.

The way I tried to do is by following MIT's tutorial and sample code under 
www.mit.edu/afs/athena/astaff/project/ 
ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft
 tutorial 
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

=========>
I can successfully import a tgt from win2k3 KDC server by running kinit, 
here is the result:

$ kdestroy
$ kinitPassword for mwang at SYSTEST.abc.COM: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1023
Default principal: mwang at SYSTEST.abc.COM

Valid starting     Expires            Service principal
10/31/03 17:53:08  11/01/03 03:50:48  krbtgt/SYSTEST.abc.COM at SYSTEST.abc.COM
    renew until 11/01/03 17:53:08


Kerberos 4 ticket cache: /tmp/tkt1023
klist: You have no tickets cached

===========>
Then I tried to run adduser program, I made a little change to the code to set 
some default values. Here is the result: (New 
user account is: nweuser)
LDAP service name: ldap at bloomber-vy45cz.systest.abc.com
==> client_establish_context
Sending init_sec_context token (size=1254)...
60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 
00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 
02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 
61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 
15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 
52 47 2e 43 4f 4d a2 38 30 36 a0 03 02 01 03 a1 
2f 30 2d 1b 04 6c 64 61 70 1b 25 62 6c 6f 6f 6d 
62 65 72 2d 76 79 34 35 63 7a 2e 73 79 73 74 65 
73 74 2e 62 6c 6f 6f 6d 62 65 72 67 2e 63 6f 6d 
a3 82 03 a1 30 82 03 9d a0 03 02 01 17 a1 03 02 
01 07 a2 82 03 8f 04 82 03 8b e4 1d 62 08 62 77 
79 65 d7 19 25 3f 5e 22 7f cd dd a9 87 4b 01 68 
d8 4c 2a 31 45 9b 13 3c cb 2a 48 27 35 9e e2 e8 
75 18 43 42 81 3a 64 d7 fc 47 15 12 94 5d 37 f7 
76 ef a4 d8 7b ea e8 6c c1 73 3f 04 be ce 61 0d 
6c bc e9 be 21 76 01 ba 2e bb 97 0c 37 c6 0c 70 
d4 75 c2 e2 88 aa 50 c7 93 8d c6 c1 ab d8 dd 0b 
79 86 c0 93 cb a5 fb 64 29 12 6a 42 81 68 3c 1b 
cb 72 c3 90 0d d4 bc fb 12 30 56 73 55 1d d9 15 
f6 a5 93 c5 99 20 ef 74 3c 27 c0 7a 88 e4 d7 a2 
83 3d f7 25 9b 9b 90 c1 61 ee 7f 44 36 58 fd b9 
6e 3c e1 2f a6 1c 65 97 22 40 4e 0c bf 68 a6 2f 
56 03 da 1f 99 d4 0e 12 02 3b 67 42 f4 eb a5 d6 
dd 1e a6 04 68 60 60 7a 59 18 f0 a5 d0 58 20 8f 
ff 49 6f a3 08 ad b7 45 cc 7d e2 2c 9b 12 36 a5 
1c b5 88 25 3b 1d fe 51 71 1d 8a 5a 4e 0a 69 2b 
bb 49 69 75 3d 1b a5 a5 fb 33 e4 8c a7 b8 83 58 
23 b2 43 b3 01 88 50 c0 9b c4 be f8 c2 4f b0 3f 
ab e2 de 6a f5 62 ae 04 4e c2 d1 58 32 14 af 58 
9f 6d f9 80 03 5e af d5 f0 d8 55 33 80 8a 00 3c 
96 ac c6 5d 0d 11 e5 ed 4a d5 16 87 d7 f7 a0 57 
fe 07 fc 3e a8 db 0f 5c 59 2c 39 e1 b3 bb f6 fd 
89 e6 88 39 6a 9c b6 80 a8 46 0d b5 86 74 c7 a5 
40 63 31 a9 e1 23 a3 66 8e 5b d1 6f d4 96 55 e8 
7e 54 2f b8 8d 85 3f e8 27 28 38 ed e4 19 3e a3 
d8 8e d0 6f 23 ca c8 30 3d 16 97 2b f5 08 cc 26 
ee 33 38 2a e7 02 64 c0 17 8c 7f 25 f3 c6 95 54 
ac 35 12 7b 16 5e 14 56 14 e3 f5 0d 38 40 f9 0b 
bb eb 4b 60 0b ba 74 98 42 cc 02 38 73 96 b8 a3 
e0 fe fc 4f d9 b5 e8 6c 38 3b a2 0c 2a 11 5a e5 
90 75 f7 08 ad 6d de 30 7c 50 88 dd 17 4a 64 47 
59 8c c8 6a db e6 0f d1 75 78 9a 33 10 d6 5f 85 
16 61 93 aa fd a3 b3 6c e4 e3 09 b1 05 f0 31 21 
44 a9 00 2a 2c 61 c0 ad 7a fe f6 94 c4 84 26 2c 
f5 98 1d f1 6e d1 fa 5c 52 fc 8e 82 24 54 5a 66 
3e e3 27 c6 ec 25 a6 1a e3 78 b4 bb d9 29 28 29 
39 a1 6c 9a e3 6d 39 2b 12 69 ae 38 ea 27 be c7 
3d 5a b4 69 03 18 b9 69 af e4 ff a9 dc f7 18 cf 
c8 78 68 b9 d7 f8 0e 9c b8 ec e2 c4 83 81 8d dd 
3b 7a 97 ef 26 a4 ab f8 c4 e1 b3 3c 9f 17 ee d5 
97 84 40 3b 73 c5 a6 56 38 59 7a a2 c6 88 4e 35 
77 64 95 5b 91 93 5b aa 3c 7e 4d 3a 66 34 3a ed 
c4 87 0c b3 6a 87 9c 6e 0c af 98 70 c4 75 b0 d9 
2b 26 c5 19 2d 10 6b e9 21 0d 30 c6 a9 f1 d3 35 
28 ae e4 e9 dd 71 1b 3c 79 0f d2 c5 5e ec 04 fa 
e7 7a 7d 8b ed 41 a1 d3 a4 98 75 42 ef c0 f5 7f 
a5 4a 96 09 6d 6e c5 b4 bc 29 16 fc 8b 7d 25 d3 
dd a0 2e 70 a3 4f bf 8e 67 b8 fb d1 ee 7e 32 2c 
a4 18 19 a3 01 36 8f 51 87 b3 7b df 89 f8 3e d2 
d4 c8 2f 46 a8 d8 cc 33 c2 a4 74 2b b4 df 38 62 
20 c8 cd 4a 88 a0 54 f9 06 12 0a 51 d6 44 ed bd 
72 ec a7 72 0c 59 aa b9 2c e3 1f ad 65 20 b1 9b 
0e fd 0d 52 15 e9 4d 5d 88 fc 8b f5 68 ca 78 95 
6a 54 4b 83 d8 72 89 92 d7 10 6d 68 0c ef 49 b8 
09 da 1b de 52 91 28 a7 27 80 37 1d dd 33 28 63 
2e ea 37 47 b6 09 22 db 58 26 c4 04 8b 59 88 2e 
fb 6a 56 0e ed 9d 7b be ed d5 85 ee 0f b3 10 05 
bb 23 11 0b 22 a4 81 ae 30 81 ab a0 03 02 01 01 
a2 81 a3 04 81 a0 e4 16 92 7a c9 46 c6 eb da b8 
0a 41 35 11 0a 9c 7f 4a 90 65 e1 bd 4b 17 91 76 
3d f0 ab ed ac 98 fb 7d 44 51 22 a7 cf 3a 8d 1f 
a7 7d 06 30 8b 00 56 65 b7 e5 a8 24 d5 1a 15 e4 
0f e8 41 9e 5e bc d6 7f 28 81 e2 67 e5 e9 4c 47 
48 4b 0f 6f 7e 79 99 29 69 f5 4c a5 bb 6a 45 10 
b9 9c 49 c9 d9 24 9a f2 c6 06 41 54 4a 9e c4 33 
38 d9 20 af ba d0 13 d8 fe 48 0f 1d f2 6c ca c1 
b7 a3 11 a4 98 0f a2 6c 5d 49 07 55 6d bc 40 71 
9b ed 42 f1 88 27 57 ee 14 96 9d ee bb ad 82 03 
31 bb df 50 e1 f9 
==> send_token
<== send_token
continue needed...
==> recv_token
<== recv_token
<== recv_token
Received token (size=114)...
60 70 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f 
61 30 5f a0 03 02 01 05 a1 03 02 01 0f a2 53 30 
51 a0 03 02 01 01 a2 4a 04 48 07 91 af 30 09 98 
7f bb 18 dd c7 36 59 73 fb de df a3 dc cf e9 33 
83 01 a0 58 41 0c f6 1a fe b3 94 36 f1 ee a9 4b 
85 fb de ca 52 5a a5 d0 fc f8 f6 e8 fd 5e c2 8c 
f3 b9 df 49 38 45 cc 92 a2 c1 65 06 c1 60 44 8f 
6c 2f 
Sending init_sec_context token (size=0)...

==> send_token
<== send_token
<== client_establish_context
==> negotiate_security_options
==> recv_token
<== recv_token
<== recv_token
Received token (size=53)...
60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 
00 ff ff ff ff 5c 18 82 8e 8c a0 6c a0 0f 47 1f 
6c 01 5b d4 25 57 ec 73 3f 7a 52 fc 45 07 a0 00 
00 04 04 04 04 
Received security token level 7 size -6291456
Sending security token level 1 size -6291456
==> send_token
<== send_token
==> parse_bind_result
<== parse_bind_result
<== negotiate_security_options
ldap_gssapi_bind: Invalid credentials
$ klist
Ticket cache: FILE:/tmp/krb5cc_1023
Default principal: mwang at SYSTEST.abc.COM

Valid starting     Expires            Service principal
10/31/03 17:53:08  11/01/03 03:50:48  krbtgt/SYSTEST.abc.COM at SYSTEST.abc.COM
    renew until 11/01/03 17:53:08
10/31/03 17:50:55  11/01/03 03:50:48  
ldap/bloomber-vy45cz.systest.abc.com at SYSTEST.abc.COM
    renew until 11/01/03 17:53:08


Kerberos 4 ticket cache: /tmp/tkt1023
klist: You have no tickets cached

==============>
I see from the result, that I retrieved the service ticket from ldap service. 
But somehow, the authentication still failed. 
The Received security token level 7 has a size -6291456, which is abnormal.  
Does anyone know which step is wrong with the 
authentcation?

Unfortunately  I have no idea what is happening here!!

Any suggestion will be happily received.

Thanks a lot.

Sincerely, Howard





More information about the Kerberos mailing list