gss-client and gss-server under MS AD 2003

Nikola Radovanovic nikola.radovanovic at dmsgroup.co.yu
Tue Oct 10 08:06:58 EDT 2006 

hi,
i managed to put in work gss-server on MS AD 2003, but when i run the 
gss-client, it tells me that server cannot be found in kerberos database.
here is what i have done:
0. my server 2003:
    test-server1.vdomain.local
   10.0.0.1
    DNS is running
    DHCP is not running
1. added user named cross in AD/users
2. cross's Account settings:
    - Password never expires
    - User cannot change password
    - This account is trusted for delegation
    - Use DES encription
3. reset password for cross
4.
   setspn -a ldap/test-server1.vdomain.local cross
   kvno shatro at VDOMAIN.LOCAL
   ktpass -out c:\WINDOWS\krb5kt -princ 
ldap/test-server1.vdomain.local at VDOMAIN.LOCAL -pass cross -crypto 
DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -kvno 4
   SET KRB5_KTNAME=FILE:c:\WINDOWS\krb5kt

   (i have actually used kvno returned by previous command)
5. my krb5.ini file:

[libdefaults]
   
    default_realm = VDOMAIN.LOCAL
    ticket_lifetime = 600
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

[realms]

    VDOMAIN.LOCAL = {
        kdc = test-server1.vdomain.local
        admin_server = test-server1.vdomain.local
        default_domain = vdomain.local
    }

[domain_realm]
   
    .vdomain.local = VDOMAIN.LOCAL

[appdefaults]
   
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
    renewable = true

klist -k -K gives:
c:\Program Files\MIT\Kerberos\bin>klist -k -K
Keytab name: FILE:C:\WINDOWS\krb5kt
KVNO Principal
---- 
--------------------------------------------------------------------------
   3 ldap/test-server1.vdomain.local at VDOMAIN.LOCAL (0x7fdfb3d33ec731f4)

what confuses me is that i never see a delegation tab after setspn 
(according to MS i should)-also i do not know is this is relevant.
i run server as:
gss-server ldap
and client as:
gss-client test-server1.vdomain.local ldap "message"
i get the following error:
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: Server not found in Kerberos database

what i should do to resolve this situation-if this is possible at all:i 
saw only sspi<->gss combinations for windows.on unix everything is 
working like a dream.

10x in advance

-- 

*****************************************************
Nikola Radovanovic
DMS Group
Puskinova 26
21000 Novi Sad
Serbia & Montenegro

Phone:  +381 21 
nikola.radovanovic at dmsgroup.co.yu
http://www.dmsgroup.co.yu/
*****************************************************

More information about the krbdev mailing list