Authentication to AD from different domains

Douglas E. Engert deengert at anl.gov
Wed Mar 24 19:25:18 EST 2004



"Umble, Butch" wrote:
> 
> Hello,
> 
> Has anyone had success authenticating AIX servers to a 2003 Active Directory KDC where the AIX servers are defined to a different domain than the active directory server.

> 
> Our progress thus far:
> 
> We successfully communicate with AD via kinit, kpasswd, etc..
> 
> A klist verifies a ticket was defined for the machine.
> 
> Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
> Default principal:  user0 at PILOTPUSA.PILOTCORP.BUMBLE.COM
> 
> Valid starting     Expires            Service principal
> 03/24/04 13:18:11  03/24/04 23:18:11  krbtgt/PILOTPUSA.PILOTCORP.BUMBLE.COM at PILOTPUSA.PILOTCORP.BUMBLE.COM
> 
> However, when we try to authenticate to AD with the account we fail with the following debug messages:
> 
> Mar 24 13:08:33 ua011 tsm: [checkName] name = user0
> Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0
> Mar 24 13:08:33 ua011 tsm: Entering krb_normalize...user0
> Mar 24 13:08:33 ua011 tsm: [checkName] name = user0
> Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0
> Mar 24 13:07:23 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0
> Mar 24 13:07:23 ua011 tsm: [krb_authenticate] user0 is normalized to user0
> Mar 24 13:07:23 ua011 tsm: [krb_authenticate] cache file is /var/krb5/security/creds/krb5cc_user0 at PILOTPUSA.PILOTCORP.BUMBLE.COM_225
> Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Got TGT ...
> Mar 24 13:07:23 ua011 tsm: [getFQHN] entered...
> Mar 24 13:07:23 ua011 tsm: [getFQHN] hostname is ua011.bumble.com
> Mar 24 13:07:23 ua011 tsm: [getFQHN] normal exit...
> Mar 24 13:07:23 ua011 tsm: [is_tgt_valid] hostname is ua011.bumble.com
> Mar 24 13:07:23 ua011 tsm: Service name = host/ua011.bumble.com at PILOTPUSA.PILOTCORP.BUMBLE.COM

The client lib will try and determine the realm of the host. Based on the above
message it thinks it is in PILOTPUSA.PILOTCORP.BUMBLE.COM which is the same realm as
user0 

What are the names of the two realms?  Whose Kerberos? What is the application?
Does the krb5.conf have a [domain_realm] section? This is used on the 
client lib to map hosts or DNS domains to a realm. You may have one, 
as the messages above assumed the host was in PILOTPUSA.PILOTCORP.BUMBLE.COM
where as by default the client lib would have assumed BUMBLE.COM





> Mar 24 13:07:23 ua011 tsm:  Client principal in request is same as in TGT
> Mar 24 13:07:23 ua011 tsm: Error in getting service ticket for host/<hostname> ...
> Mar 24 13:07:23 ua011 tsm: Server not found in Network Authentication Service database
> Mar 24 13:07:23 ua011 tsm: [krb_authenticate] TGT validation failed ...
> Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Exiting krb_authenticate...
> Mar 24 13:07:23 ua011 syslog: pts/6: failed login attempt for user0 from 162.131.196.187
> 
> We have been working with the vendor trying to analyze the problem.  From their view, the problem is related to having the AIX servers residing in one domain and the AD server defined to another domain.

You mean the user is registered in one realm/domain, and the host in another. 
The requires Kerberos to do cross realm, which requires the two realms to have
a trust relationship. 

> 
> We find it hard to believe that we are the only shop which is configured in this manner.
> 
> If anyone has any insight on how to solve this problem/error and would be willing to share their resolution we would appreciate hearing from you.
> 
> Thank you,
>  -Butch
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list