Cross Realm Administration?

Wilper, Ross A rwilper at stanford.edu
Fri Jan 7 17:46:21 EST 2011 

1) In the Active Directory, is the userPrincipalName or one of the altSecurityIdentities of the admin account jdraht/admin at REALM?

2) Might you be running Windows Server 2008 without Service Pack 2 on your AD? Before SP2 there was a bug that prevented any account with a "/" from authenticating.

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Jeff draht
Sent: Friday, January 07, 2011 1:13 PM
To: kerberos at mit.edu
Subject: Cross Realm Administration?

We are testing Single Signon;

I have a MS2008 KDC and AD server are one in the same, and a
Solaris_10 ldap Client in a SAP environment which we seem to have
partially kerberized. I can do a klist, klist -k and see my keytab...

single signon works for the most part, we can login and authenticate
against the AD Server.
We used the adjoin.sh provided by SUN/Oracle to establish a Kerberos
Client Conenction.

I have even merged a few userid entries to the keytab. I can list them
out. klist -k

I can kinit userid w/o issue. All ldap client commands function just
fine...

I created the keytabs for one userid manually and the other I had the
PC team create using ktpass as per the Instructios on MS TechNet.  He
created a key and I merged in on the solaris machine. I can see the
entries just fine.

What I cannot do is make kadmin work so that I can do remote kerberos
administration or get the seam tool to authenticate?

When I run kadmin I get the following error;

We have a  default REALM, i just did not want to post it all over the
internet...

Authenticating as principal jdraht/admin at REALM with password.
kadmin: Client not found in Kerberos database while initializing
kadmin interface

When I run seam tool it populates 2 of 4 fields correctly and I add
jdraht/admin at REALM and the password I get "Client not found in
kerberos database?"

The PC Admins claim that all fields are correct, they show me
snapshots.  Also, they claim that the DC's replicated the info fine.

I am out of ideas?  I have been and am reading every blog, support doc
out there and am trying suggestions w/negres...

Sun helped with the LDAP, but claim that kerberos and AD is not their
area of expertise?

Also and this may be related, the SAP DBA's are trying to use SNC and
there seems to be an issue there?  Maybe a Library issue or related to
the above? Not sure yet? One problem at a time?

Has anyone gone thru this exercise?

If you have any suggestions? or can point me in a direction for
support, please advise?

Thanks, Jeff
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list