Kerberos/SASL/LDAP/Windows - Message Stream Modified
degnan78
degnan78 at yahoo.com
Tue Oct 3 07:32:48 EDT 2006
Hi folks,
I'm trying to implement a SSO solution so that my Unix systems can
authenticate off my Windows Server 2003 R2 domain controllers. I liked this
approach because it's secure, doesn't necessarily need the extra overhead of
SSL/TLS, and I don't have to put a bind user's password in the ldap.conf
file. I have tried following instructions on several websites, including
these forums on Nabble as well as a Microsoft document:
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx
In any case, I feel like I'm pretty close to getting it working, but I keep
getting a nagging error message in /var/log/messages:
GSSAPI error: miscellaneous failure (message stream modified)
I created a user account in AD for the Linux system, then I used ktpass to
generate a key table, then copied that to /etc/krb5.keytab on the Linux box.
I can run "kinit -k" to get a TGT from AD without having to supply a
password, and I can see the AD accounts when I run 'getent passwd', but I
cannot ssh as an AD user.
When this failed, I tried Microsoft's suggestion to use css_adkadmin to
create the account and keytab from the Linux system, but this also resulted
in the same problem.
Here is my krb5.conf for your viewing pleasure:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
[realms]
EXAMPLE.COM = {
kdc = exampledc1.example.com:88
kdc = exampledc2.example.com:88
admin_server = exampledc1.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
And here is my ldap.conf (comments excluded):
host 192.168.1.11 192.168.1.12
base dc=example,dc=com
use_sasl on
rootuse_sasl yes
krb5_ccname /tmp/krb5cc_0
sasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com
rootsasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group dc=example,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_map_attribute gecos cn
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
sasl_secprops maxssf=0
ssl no
I have tried using the bundled versions of Kerberos 5, Cyrus-SASL, OpenLDAP,
and PADL's nss_ldap. I have also downloaded and installed the latest
versions of the above software, but the error message still showed up. Any
ideas???
Thanks,
Kevin
--
View this message in context: http://www.nabble.com/Kerberos-SASL-LDAP-Windows---Message-Stream-Modified-tf2375631.html#a6618355
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list