Odd problem with Active Directory
Jeffrey Watts
jeffrey.w.watts at gmail.com
Wed Dec 16 16:56:30 EST 2009
Reaching out again hoping that someone might have an idea as to what my
problem is.
Thanks,
Jeffrey.
On Fri, Dec 11, 2009 at 10:43 AM, Jeffrey Watts
<jeffrey.w.watts at gmail.com>wrote:
> Hello, I've been working with Kerberos for the last few months getting
> Linux and HP-UX servers to authenticate against AD. I've been using
> pam_krb5 and nss_ldap on Linux, and pam_krb5 and LDAP-UX on HP-UX.
>
> Anyhow, I'm having an odd issue with a few Linux servers. Our domain
> crosses many networks, so using DNS to find domain controllers hasn't worked
> very well, so I'm using three separate kdc entries in /etc/krb5.conf. I
> have dns_lookup_realm and dns_lookup_kdc set to false.
>
> I'm using Kerberos to secure the LDAP connection. Here are the relevant
> lines from my ldap.conf:
> use_sasl on
> krb5_ccname FILE:/etc/.ldapcache
> sasl_secprops maxssf=0
>
> When I initially migrated the systems I used 'net ads join' to create a
> machine account, and then I run 'kinit -k MACHINENAME$ -c /etc/.ldapcache'
> in a cronjob to keep a fresh ticket.
>
> I have all systems pointing to those three KDCs, in the same order:
> kdc1
> kdc2
> kdc3
>
> They were all running Windows2003 (not R2, but using the Windows2008R2
> schema). Two weeks ago, kdc1 was upgraded to Windows2008R2. Suddenly five
> of my Linux boxes (out of 109) stopped being able to check out tickets from
> that particular Windows2008R2 server. This includes RHEL4 and 5 systems.
> They are located in different networks, and identically configured systems
> do work (for example, devserver1 will work, but devserver2 will not). The
> keytab still works with the Windows2003 servers. The remaining 104 systems
> work fine with no issues.
>
> I've deleted the machine accounts and the local keytabs and recreated them,
> but those same machines still have the same problem (can authenticate
> against Win2003 servers but not Win2008R2). The last successful ticket
> checkout for all five of them occurred within an hour of each other, and it
> appears to be during the time when that KDC was upgraded.
>
> There is another Windows2008R2 server (kdc4) on our network that we don't
> normally use, and if I point those systems to it they have the same problem,
> so it seems to be some issue involving Windows2008R2 and these particular
> systems.
>
> Here is the error that 'kinit -k MACHINENAME$ -c /etc/.ldapcache' gives
> when pointing to to the Win2008R2 server:
> kinit(v5): Key table entry not found while getting initial credentials
>
> Here are my Kerberos versions:
> RHEL4: krb5-workstation-1.3.4-62.el4
> RHEL5: krb5-workstation-1.6.1-36.el5
>
> On the 64-bit systems, both the 32-bit and 64-bit libraries (krb5-libs) are
> installed. I know I must be missing something, as my understanding of
> Kerberos is purely functional and isn't comprehensive. Any advice would be
> appreciated.
>
> Thanks,
> Jeffrey.
>
> P.S. If anyone can recommend a good (and preferably succinct) book on
> Kerberos written for a sysadmin's use I'd appreciate it. As I said I have a
> functional understanding and I'd like to know more about concepts and
> strategies for implementation. I'm not interested in a book more oriented
> towards programmers.
>
>
--
"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine
More information about the Kerberos
mailing list