SASL authentication

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Mon Mar 23 05:31:49 EDT 2009


> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Saturday, March 21, 2009 7:55 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> You create a user with a sAMAccountName and a 
> userPrincipalName (LDAP attribute names) and then use this 
> userPrincipalName as parameter for kinit. LDAP-bind with 
> SASL/GSSAPI will automagically obtain a service ticket. See 
> my local test with OpenLDAP command-line tool below (all 
> names manually obfuscated).
> 
> If something fails check your DNS and /etc/krb5.conf 
> especially regarding enc types.

Yes, now I am also suspecting something is wrong with DNS settings. But I don't know how to check them. Could you give me some examples?

The following is the content of my /etc/krb5.conf:
=======================================
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = durian.fujixerox.com
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SESSWIN2003.COM = {
  kdc = 13.198.98.35:88
  default_domain = sesswin2003.com
 }

 durian.fujixerox.com = {
  kdc = kerberos.durian.fujixerox.com:88
  admin_server = kerberos.durian.fujixerox.com:749
 }


[domain_realm]
 .sesswin2003.com = SESSWIN2003.COM
 sesswin2003.com = SESSWIN2003.COM

 durian.fujixerox.com = durian.fujixerox.com
 .durian.fujixerox.com = durian.fujixerox.com
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
=======================================
In this configuration file, "durian" is the hostname of the client machine. Is there anything wrong with it?

Thanks,
Xu Qiang



More information about the Kerberos mailing list