kerberos authentication doesn't work agsint windows 2003 AD...
Kent Wu
kwu at xsigo.com
Mon Aug 29 22:13:49 EDT 2005
Hi guys,
I used to write a program to authenticate
users against windows 2000 AD by using MIT
Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
what I did is to authenticate users against AD by
using kerberos before doing LDAP search operations.
It was working perfectly until I wanted to migrate the
2000 AD to 2003 a wk ago.
While doing kerberos authentication against
AD 2003, the last step of ldap_sasl_bind_s() always
returns "invalid credentials" even though I've successfully
got TGT as well as the service ticket for LDAP (AD 2003). If
I type "klist" right before the last ldap_sasl_bind_s() step,
I can see the followings and it's looking look.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Default principal: KWU at DOMAIN
Valid starting Expires Service principal
08/29/05 18:09:59 08/30/05 04:09:59 krbtgt/DOMAIN at DOMAIN
renew until 08/30/05 18:09:59
08/29/05 18:10:01 08/30/05 04:09:59 ldap/AD-HOSTNAME.DOMAIN at DOMAIN
renew until 08/30/05 18:09:59
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
However it still fails in the last ldap_sasl_bind_s() call.
My calling sequence is like this:
1. use Kerberos APIs to get/store TGT.
2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
(ldap_sasl_bind_s()) to engage kerberos authentication.
Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
requires a loop (a couple of handshaking steps) to complete
the whole authentication process. It was working all good until
the last ldap_sasl_bind_s() call....
I've looked high and low on the internet and tried variety of
configurations in both client and server side however ended up
nothing. It's so weird that it works fine with AD 2000 but not
2003....
Can anyone help me out by sharing his/her own experience or
pointing me to the right direction?
Thanks a lot in advance !
-Kent
More information about the Kerberos
mailing list