Authentication to AD from different domains

Umble, Butch Umble.Butch at principal.com
Wed Mar 24 18:08:38 EST 2004 

Hello,

Has anyone had success authenticating AIX servers to a 2003 Active Directory KDC where the AIX servers are defined to a different domain than the active directory server.
 
Our progress thus far:

We successfully communicate with AD via kinit, kpasswd, etc..

A klist verifies a ticket was defined for the machine.

Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  user0 at PILOTPUSA.PILOTCORP.BUMBLE.COM

Valid starting     Expires            Service principal
03/24/04 13:18:11  03/24/04 23:18:11  krbtgt/PILOTPUSA.PILOTCORP.BUMBLE.COM at PILOTPUSA.PILOTCORP.BUMBLE.COM


However, when we try to authenticate to AD with the account we fail with the following debug messages:

Mar 24 13:08:33 ua011 tsm: [checkName] name = user0
Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0
Mar 24 13:08:33 ua011 tsm: Entering krb_normalize...user0
Mar 24 13:08:33 ua011 tsm: [checkName] name = user0
Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0
Mar 24 13:07:23 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0
Mar 24 13:07:23 ua011 tsm: [krb_authenticate] user0 is normalized to user0
Mar 24 13:07:23 ua011 tsm: [krb_authenticate] cache file is /var/krb5/security/creds/krb5cc_user0 at PILOTPUSA.PILOTCORP.BUMBLE.COM_225
Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Got TGT ...
Mar 24 13:07:23 ua011 tsm: [getFQHN] entered...
Mar 24 13:07:23 ua011 tsm: [getFQHN] hostname is ua011.bumble.com
Mar 24 13:07:23 ua011 tsm: [getFQHN] normal exit...
Mar 24 13:07:23 ua011 tsm: [is_tgt_valid] hostname is ua011.bumble.com
Mar 24 13:07:23 ua011 tsm: Service name = host/ua011.bumble.com at PILOTPUSA.PILOTCORP.BUMBLE.COM
Mar 24 13:07:23 ua011 tsm:  Client principal in request is same as in TGT
Mar 24 13:07:23 ua011 tsm: Error in getting service ticket for host/<hostname> ...
Mar 24 13:07:23 ua011 tsm: Server not found in Network Authentication Service database
Mar 24 13:07:23 ua011 tsm: [krb_authenticate] TGT validation failed ...
Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Exiting krb_authenticate...
Mar 24 13:07:23 ua011 syslog: pts/6: failed login attempt for user0 from 162.131.196.187


We have been working with the vendor trying to analyze the problem.  From their view, the problem is related to having the AIX servers residing in one domain and the AD server defined to another domain. 

We find it hard to believe that we are the only shop which is configured in this manner.  

If anyone has any insight on how to solve this problem/error and would be willing to share their resolution we would appreciate hearing from you.


Thank you,
 -Butch

More information about the Kerberos mailing list