Hello everyone!

I am trying to configure my ldap on freebsd 9 so that I can authenticate users against active directory.

For that I am going to need krb5, I have installed it, it is running cute but when I try to kinit some-user I have a weired problem... lets start from the top, here is my configuration of krb5.conf:



[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = seth.local
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
seth.local = {
kdc = WIN-SRV.seth.local:88
admin_server = WIN-SRV.seth.local:749
default_domain = seth.local
}

[domain_realm]
.seth.local = SETH.LOCAL
seth.local = SETH.LOCAL




seth.local is my domain and WIN-SRV is my active directory server...

Now I am trying to kinit some user who actually exists on my active directory, here is the result:

[root@ldap /usr/home/neda]# kinit alex
alex@seth.local's Password: //I entered the password here//
kinit: Password incorrect

And then, I try to login with username which doesn't exist at all! And I have:

[root@ldap /usr/home/neda]# kinit jklsajdlkssdasdsa
jklsajdlks@seth.local's Password: //kjaskljdaskvcbylj user doesn't exist, who cares??//
kinit: krb5_get_init_creds: Client (jklsajdlks@seth.local) unknown

You see? I think kerberos is seeing my active directory perfectly, but I don't know why I see the "password incorrect" message! I am sure that I'm entering the password correctlly! Should I config any special password for kerberos to access active directory and if so, where?? what do you think my problem is??

please please please save me!

Are the domain names the same on freebsd box and active directory?
Does resolv.conf have domain and nameserver (AD's name server)?
Is the time in sync between FreeBSD and the domain controller?
In krb5.conf under libdefaults the domain should be all caps not lower case
In krb5.conf the seth.local = { under realms should be SETH.LOCAL = {
In krb5.conf there should not be default_domain under realms in the SETH.LOCAL definition

1 members found this post helpful.

Thanks a lot for your help!! I also found out that I should generate a key with ktpass in my windows server and make kerberos use it! I used this command in windows::

ktpass /princ HOST/myldapname@SETH.LOCAl /mapuser DOMAIN\ldapuser
/crypto DES-CBC-MD5 +DesOnly /pass ldapuser-password /ptype
KRB5_NT_SRV_HST
/out c:\krb5.keytab

of course the ldap computer and the user should be defined before I use this command...

Then I copied this keytab file to /etc and it worked!

now that I klist in freebsd, I have this::


Principal: alex@SETH.LOCAL

Issued Expires Principal
Aug 24 09:00:07 Aug 24 19:00:07 krbtgt/SETH.LOCAL@SETH.LOCAL


is it correct?? is it the result I should expect? or something is wrong??

I kinit 2 or 3 users, but when I kinit, I just have the last one in the list... why??

Thanks again

are you running kinit from the same local user?

I am running it from my ldap server... and with different users.

I should've been more clear. I log into a computer as themadindian, I run klist and there is nothing
I kinit as themadindian to the whatever domain
I run klist and I now have a ticket as themadindian
I run kinit again this time for administrator still logged in as themadindian
I run klist again

your kerberos tickets will be the last user you authenticated as, so you can't kinit multiple users from a single user, that's what I was trying to say

2 members found this post helpful.

Thanks alot, That's what I was looking for, I wondered if it shows just the last user or all the users logged in