SASL authentication
Xu, Qiang (FXSGSC)
Qiang.Xu at fujixerox.com
Mon Mar 23 05:31:49 EDT 2009
> -----Original Message-----
> From: kerberos-bounces at mit.edu
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Saturday, March 21, 2009 7:55 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
>
> You create a user with a sAMAccountName and a
> userPrincipalName (LDAP attribute names) and then use this
> userPrincipalName as parameter for kinit. LDAP-bind with
> SASL/GSSAPI will automagically obtain a service ticket. See
> my local test with OpenLDAP command-line tool below (all
> names manually obfuscated).
>
> If something fails check your DNS and /etc/krb5.conf
> especially regarding enc types.
Yes, now I am also suspecting something is wrong with DNS settings. But I don't know how to check them. Could you give me some examples?
The following is the content of my /etc/krb5.conf:
=======================================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = durian.fujixerox.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SESSWIN2003.COM = {
kdc = 13.198.98.35:88
default_domain = sesswin2003.com
}
durian.fujixerox.com = {
kdc = kerberos.durian.fujixerox.com:88
admin_server = kerberos.durian.fujixerox.com:749
}
[domain_realm]
.sesswin2003.com = SESSWIN2003.COM
sesswin2003.com = SESSWIN2003.COM
durian.fujixerox.com = durian.fujixerox.com
.durian.fujixerox.com = durian.fujixerox.com
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
=======================================
In this configuration file, "durian" is the hostname of the client machine. Is there anything wrong with it?
Thanks,
Xu Qiang
More information about the Kerberos
mailing list