"Umble, Butch" wrote: > > Hello, > > Has anyone had success authenticating AIX servers to a 2003 Active Directory KDC > where the AIX servers are defined to a different domain than the active directory > server.
> > Our progress thus far: > > We successfully communicate with AD via kinit, kpasswd, etc.. > > A klist verifies a ticket was defined for the machine. > > Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 03/24/04 13:18:11 03/24/04 23:18:11 krbtgt/[EMAIL PROTECTED] > > However, when we try to authenticate to AD with the account we fail with the > following debug messages: > > Mar 24 13:08:33 ua011 tsm: [checkName] name = user0 > Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0 > Mar 24 13:08:33 ua011 tsm: Entering krb_normalize...user0 > Mar 24 13:08:33 ua011 tsm: [checkName] name = user0 > Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0 > Mar 24 13:07:23 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0 > Mar 24 13:07:23 ua011 tsm: [krb_authenticate] user0 is normalized to user0 > Mar 24 13:07:23 ua011 tsm: [krb_authenticate] cache file is > /var/krb5/security/creds/[EMAIL PROTECTED] > Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Got TGT ... > Mar 24 13:07:23 ua011 tsm: [getFQHN] entered... > Mar 24 13:07:23 ua011 tsm: [getFQHN] hostname is ua011.bumble.com > Mar 24 13:07:23 ua011 tsm: [getFQHN] normal exit... > Mar 24 13:07:23 ua011 tsm: [is_tgt_valid] hostname is ua011.bumble.com > Mar 24 13:07:23 ua011 tsm: Service name = host/[EMAIL PROTECTED] The client lib will try and determine the realm of the host. Based on the above message it thinks it is in PILOTPUSA.PILOTCORP.BUMBLE.COM which is the same realm as user0 What are the names of the two realms? Whose Kerberos? What is the application? Does the krb5.conf have a [domain_realm] section? This is used on the client lib to map hosts or DNS domains to a realm. You may have one, as the messages above assumed the host was in PILOTPUSA.PILOTCORP.BUMBLE.COM where as by default the client lib would have assumed BUMBLE.COM > Mar 24 13:07:23 ua011 tsm: Client principal in request is same as in TGT > Mar 24 13:07:23 ua011 tsm: Error in getting service ticket for host/<hostname> ... > Mar 24 13:07:23 ua011 tsm: Server not found in Network Authentication Service > database > Mar 24 13:07:23 ua011 tsm: [krb_authenticate] TGT validation failed ... > Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Exiting krb_authenticate... > Mar 24 13:07:23 ua011 syslog: pts/6: failed login attempt for user0 from > 162.131.196.187 > > We have been working with the vendor trying to analyze the problem. From their > view, the problem is related to having the AIX servers residing in one domain and > the AD server defined to another domain. You mean the user is registered in one realm/domain, and the host in another. The requires Kerberos to do cross realm, which requires the two realms to have a trust relationship. > > We find it hard to believe that we are the only shop which is configured in this > manner. > > If anyone has any insight on how to solve this problem/error and would be willing to > share their resolution we would appreciate hearing from you. > > Thank you, > -Butch > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
