2005/10/31, Daniel Hatfield <[EMAIL PROTECTED]>:
> I don't know about using doing this with ldap directly, but if you have
> Kerberos working and you've successfully joined your computer to the
> domain. You're really close. Let's test to make sure.
> Do the following as root from the command line:
>
> To test Kerberos:
>
> kinit administrator
>
> The above command will prompt for a password. Enter the password of
> your
> 2K3 domain administrator. If you have renamed your domain administrator
> account use the name instead with the kinit command. If you receive no
> errors Kerberos is working.
>
> To test winbind:
>
> wbinfo -g
>
> The above command should give you a list of groups in you Active
> directory. Try it with the -u switch to see a list of users.
>
> Let us know what your results are and we can help you further.
>
> Cheers,
> Daniel
first of all thank you for your replies, I really appreciate that.
As I said before the kerberos part is pretty straight forward.. I
never encountered any serious problems on this side.
Packetyzer Trace:
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
Client Realm: LINUX.LOCAL
Client Name (Principal): Administrator
Name-type: Principal (1)
Name: Administrator
Ticket
Tkt-vno: 5
Realm: LINUX.LOCAL
Server Name (Unknown): krbtgt/LINUX.LOCAL
Name-type: Unknown (0)
Name: krbtgt
Name: LINUX.LOCAL
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 08561DE7EE73917EAB22B1B3E1DC1FE4E24F14BD18E39CF3...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part: 2E1EDFF75F9DB3CA00736E7B3A4DE074E6A398E0810B415E...
playground:~ # klist -e -5:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
11/02/05 07:22:07 11/02/05 17:22:15 krbtgt/[EMAIL PROTECTED]
renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
A packet sniffer proofed to be quite helpful here. If I try to log in
as a domain user it first does the kerberos authentication (PAM: auth)
and then tries to get account information via ldap (PAM: account). The
problem is, ldapsearch tries to bind using the "simple" method (-x
parameter). Some windows registry hacking would allow Active Directory
to allow anonymous searches but that's not in my interest. Neither is
a dedicated user with a locally stored plaintext password in
ldap.secret.
If I issue a ldapsearch with a tgt (ticket) present I get quite
reasonable results:
playground:/etc # ldapsearch
"(&(objectclass=User)(msSFU30Name=testuser))" |head -20
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectclass=User)(msSFU30Name=testuser))
# requesting: ALL
#
# testuser, Users, linux.local
dn: CN=testuser,CN=Users,DC=linux,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: testuser
givenName: testuser
distinguishedName: CN=testuser,CN=Users,DC=linux,DC=local
instanceType: 4
whenCreated: 20051020072831.0Z
whenChanged: 20051031100055.0Z
...
and once again: playground:/etc # klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
11/02/05 07:22:07 11/02/05 17:22:15 krbtgt/[EMAIL PROTECTED]
renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
11/02/05 07:44:54 11/02/05 17:22:15 ldap/[EMAIL PROTECTED]
renew until 11/03/05 07:22:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
now I do have a service ticket for the ldap service as well (good!).
I didn't test the winbind stuff as I do not want to use samba but ldap
(natively supported by Active Directory). Does anyone know how I can
tell ldap to use GSSAPI instead of simple auth while logging in?
"use_sasl on" and "sasl_mech gssapi" didn't really point out to be
helpful at all :-(
Thanks in advance
Roman
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
