LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-20-2010, 09:34 AM   #1
montyny
LQ Newbie
 
Registered: Jun 2009
Posts: 10

Rep: Reputation: 0
Troubleshooting openSUSE client authenticating to Windows 2003 AD server w/ Kerberos


Hello,
I am trying to connect an OpenSuse11 server to a MS 2003 Active Directory server with kerberos 5. The ultimate aim is to authenticate postgres database users against the AD.

I have found some information that has got me started. I can authenticate with my user credentials interactively - however I can not use a key tab file from a service account.

My first issue though is that I am not getting any messages from kerberos in /var/log/messages.
[libdefaults]
default_realm = LAB2K.NET
dns_lookup_kdc = false;

[realms]
LAB2K.NET = {
kdc = labad2.lab2k.net
}
[domain_realm]
lab2k.NET = LAB2K.NET
lab2k.net = LAB2K.NET
.lab2k.net = LAB2K.NET
lab2k = LAB2K.NET
poe3b.lab2k.net = LAB2K.NET
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
kdc = SYSLOG:DEBUG:AUTH
admin_server = FILE:/var/log/krb5/kadmind.log
admin_server = SYSLOG:DEBUG:AUTH
default = SYSLOG:DEBUG:DAEMON


Our sys admins created a key tab file:
C:\>ktpass -princ HTTP/poe3b.lab2k.net@lab2k.NET -mapuser poe3b -crypto DES-CBC-
MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass * -out c:\poe3b.keytab
Targeting domain controller: LABAD2.lab2k.net
WARNING: realm "lab2k.NET" has lowercase characters in it.
We only currently support realms in UPPERCASE.
assuming you mean "LAB2K.NET"...
Successfully mapped HTTP/poe3b.lab2k.net to poe3b.
Type the password for HTTP/poe3b.lab2k.net:
Type the password again to confirm:
Key created.
Output keytab to c:\poe3b.keytab:
Keytab version: 0x502
keysize 57 HTTP/poe3b.lab2k.net@LAB2K.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etyp
e 0x3 (DES-CBC-MD5) keylength 8 (0x0b7c7cda2679a708)
Account poe3b has been set for DES-only encryption.


It appears that the principal HTTP has been mapped to the user poe3b.

klist -k -t poe3b.keytab
Keytab name: FILE:poe3b.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/31/69 19:00:00 HTTP/poe3b.lab2k.net@LAB2K.NET
kinit -k -t poe3b.keytab HTTP
kinit(v5): Client not found in Kerberos database while getting initial credentials
hostname -f
poe3b.lab2k.net


It seems that the use in the keytab file is not being recognized by AD - is this what the error messages mean? Is this an AD issue, or a linux issue?

However, if I go to a windows machine in that domain, I can find the user poe3b
(poe3b (HTTP/poe3b.lab2k.net@LAB2K.NET))

What am I missing? It seems that the pieces are there. Any thoughts much appreciated.

Thanks.

Last edited by montyny; 05-24-2010 at 08:36 AM. Reason: change title
 
  


Reply

Tags
directory, kerberos


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Server 2003 Active Directory Account Lockout Troubleshooting zwinter Linux - General 4 08-20-2010 11:14 AM
Connect LINUX client to WINDOWS 2003 server linuxy2 Linux - Networking 8 07-29-2009 05:02 AM
Linux Authenticating against Windows 2003 Server: su error sbabcock23 Linux - Software 6 04-08-2009 02:26 PM
Problem authenticating OpenBSD to a Windows 2003 Server blood_omen *BSD 1 04-25-2006 02:40 PM
Authenticating Linux against Windows 2003 Active Directory Builder Linux - Enterprise 26 08-30-2005 03:56 AM


All times are GMT -5. The time now is 03:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration