This doc will make this all possible. Its actually easier than you might think
http://www.securityfocus.com/infocus/1563 -----Original Message----- From: Neil McFadyen [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 9:13 AM To: [EMAIL PROTECTED] Subject: Re: Problems using AD as KDC Did you find a solution. I would like to do the same thing for our unix NIS domain adn windows ad. Neil Christian Palomino wrote: > I've seen some posts that reflects similar problems to what I'm > having, but didn't find a solution. > > We've got a corporate Active Directory, with a root domain used to > keep some service and security accounts as wel as some server with the > infrastructure FSMO roles (Schema Master, Domain Naming Master, > Infrastructure Master,...). On a child domain, we've got the servers, > computers and users. We are trying to be able to authenticate users > and services also on our UNIX machines, so we can give some kind of > Single Sign On for the few users (basically in the IT department) wich > use the UNIX machines, and specially be able to offer UNIX services to > the users without having to asked them for a user and password once > they are loged to the AD. > > I've followed both Microsoft and MIT papers, and from a NetBSD box and > SuSE box I've got the same problem. I can kinit from a user and get a > ticket from the AD for the user with the same name (or use kinit > username) and works perfectly. But it seems service and hosts mapping > doesn't work. I've created an account for my host and for the ksu > service as explaind in Msft. papers, but I get the following error: > ksu: Server not found in Kerberos database while geting credentials > from kdc Authentication failed. > > But ksu is in krb5.keytab, imported from AD with ktpass: > idaho.solmelia.corp:/home/chpl000# ktutil > ktutil: rkt /etc/krb5.keytab > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 1 host/[EMAIL PROTECTED] > 2 1 ksu/[EMAIL PROTECTED] > ktutil: > > OTOH, login.krb5 does work perfectly: > idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5 > login: chpl000 > Password for chpl000: > Last login: Wed Nov 12 11:52:03 on ttyp0 > NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003 > > Welcome to NetBSD! > > You have mail. > Disk quotas for user chpl000 (uid 1000): none idaho.solmelia.corp:~$ > klist Ticket cache: FILE:/tmp/krb5cc_p934 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 11/12/03 11:53:04 11/12/03 21:55:30 krbtgt/[EMAIL PROTECTED] > CORP > renew until 11/13/03 11:53:04 > > Kerberos 4 ticket cache: /tmp/tkt1000 > klist: You have no tickets cached > > Does anyone have a hint on how to solve this issue? I have no clue on > what to do after searching everywhere... > > Thanks and best regards (and sorry for the long post) > > -- > Christian Palomino > mailto::[EMAIL PROTECTED] > http://www.palominocassain.com > GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F > > ------------------------------------------------------------------------ > Part 1.1.2Type: application/pgp-signature > > > ------------------------------------------------------------------------ > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
