ok, thanks for this...this fixed kinit
Getent testing works too
What doesn't work is authentication to login to the linux box from Windows server 2008
As stated, kinit works wuth the uppercase, the krb5.conf file is set as shown here. Getent returns the passwd 'line' from the windows server. The windows server does have the lower cryptography group policy.
I've gotten this to work before, but for this domain, it just hangs and says (in putty) "authentication failed"
Is there a log somewhere on the win box to see what is failing? As I said kinit and getent tests work fine now.
Here is the 'tests' working:
[root@xxxdevemp01 etc]# kinit
philh@XXX.SAAS
Password for
philh@XXX.SAAS:
[root@xxxdevemp01 etc]# getent passwd philh
philh:*:10007:501:Phil H:/home/philh:/bin/bash
[root@xxxdevemp01 etc]#
It returns the group, user id etc just fine. All set on the Windows server.......It must be something very fundamental...Thanks for looking...
Here is my ldap.conf:
base XXX,dc=saas
uri ldap://xxxadc01.xxx.saas/
binddn
ldapbind@xxx.saas
bindpw XXXpass
scope sub
ssl no
#tls_checkpeer no
nss_base_passwd dc=xxx,dc=saas?sub
nss_base_shadow dc=xxx,dc=saas?sub
nss_base_group dc=xxx,dc=saas?sub?&(objectCategory=group)(gidnumber=*)
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,orion
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
tls_cacertdir /etc/openldap/cacerts
pam_password md5
#pam_password ad
And my krb5.conf:
[root@xxxdevemp01 etc]# cat krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XXX.SAAS
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
verify_ap_req_nofail = false
[realms]
XXX.SAAS = {
kdc = XXXDEVADC01.XXX.SAAS:88
admin_server = XXXDEVADC01.XXX.SAAS:749
default_domain = XXX.SAAS
}
[domain_realms]
.xxx.saas = XXX.SAAS
xxx.saas = XXX.SAAS
[login]
krb4_convert=false
krb4_get_tickets=false
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@xxxdevemp01 etc]#