LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-08-2014, 05:55 PM   #1
okaybrian
LQ Newbie
 
Registered: Sep 2014
Location: Dallas
Posts: 2

Rep: Reputation: Disabled
GSSAPI - Windows Active Directory Interoperability


We are writing softwares that run on both Windows and Linux, and plan to use Windows Active Directory for authentication. I am struggling with the issues described below, and would appreciate any help very much:

Domain name: CORP.COMPANY.COM

Test programming running on the one Linux machine: host1.corp.company.com

The test program comes from the gss-sample from krb5-1.11.3 downloaded files.

The server will be named "gssapitest".



Based on "Step-by-Step Guide to Kerberos 5(krb5 1.0) Interoperability at
http://technet.microsoft.com/en-us/l.../bb742433.aspx,

First create a user "host1" in the AD to represent the host
host1.corp.company.com (the linux machine).

Use ktpass to generate the keytab (run from Windows):
ktpass /princ host/host1.corp.company.com@CORP.COMPANY.COM /mapuser host1 /pass
hostpassword /out file1.keytab

Now in AD, create another domain user "gssapitest" to represent the test server program, and map user similarly:
ktpass /princ gssapitest/host1.corp.company.com@CORP.COMPANY.COM /mapuser
gssapitest /pass gssapitestpassword /out file2.keytab


copy file1.keytab and file2.keytab to the Linux machine host1, and merge them
to /etc/krb5.keytab.


In Linux, "ktutil" shows the content of /etc/krb5.keytab like the following:

slot KVNO Principal
------------------------------------------------------------------
1 4 host/host1.corp.company.com@CORP.COMPANY.COM
2 5 gssapitest/host1.corp.company.com@CORP.COMPANY.COM



On windows, register the service (using "setspn") for the Linux server program so that the
result looks like (2 entries, one with mapped host name, the other with actual host name, for testing purpose. If only one entry, no matter which one, the result was the same):

Registered ServicePrincipalNames for
CN=xxxx,CN=Users,DC=corp,DC=company,DC=com:
gssapitest/host1:2001
gssapitest/host1.corp.company.com:2001



Now I start the server this way:

gss-server -port 2001 gssapitest


and start the client from another terminal this way:

gss-client -port 2001 -user xxxx -pass xxxxpassword host1.corp.company.com
gssapitest "abcd"



The error shows on the server side:

GSS-API error accepting context: Unspecified GSS failure. Minor code may
provide more information
GSS-API error accepting context: Wrong principal in request


Anyone who has some idea please help me out. I have spent a lot of time and
am not able to find the cause. I'd like to know if the step I outlined about
are all necessary. and which one I did it incorrectly.

(Note: I have tried to log in to the Linux with both a local user account and
a domain account in CORP.COMPANY.COM, the result shows the same error.
also the nslookup shows correct IP to host mapping for the linux machine).

Thanks,
Brian
 
Old 09-10-2014, 02:29 PM   #2
okaybrian
LQ Newbie
 
Registered: Sep 2014
Location: Dallas
Posts: 2

Original Poster
Rep: Reputation: Disabled
OK I am replying to myself.
In my case, the problem seems to be this: I made changes to my mapped user, i.e., gssapitest (In "Active Directory Users and Computers", I unchecked "Use DES encryption types for this account" under "Account" tab for this user) after running "ktpass" and merged the output file to the krb5.keytab in the Linux machine.
To fix this problem, I checked the "Use DES encryptiuon types for this account" again from inside the Active Directory, then go to the Linux machine, run "kdestroy" before starting my server and client programs. Then it worked.
If you are having similar problems, you may want to look into this possible cause. Thanks.

Last edited by okaybrian; 09-10-2014 at 02:35 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ssh problem. (Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).) Satyaveer Arya Linux - Networking 4 10-19-2013 03:43 PM
Permission denied (publickey, gssapi-keyex,gssapi-with-mic,password) Huaqing Wang Linux - Newbie 1 06-27-2012 07:51 PM
Cyrus IMAP / SASL - GSSAPI authentication doesn't work against Active Directory MheAd Linux - Server 3 02-03-2012 10:18 AM
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password) scman64 Linux - Newbie 1 12-13-2011 12:20 AM
Windows Active Directory Wha?Where? Linux - Newbie 7 12-15-2005 09:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration