[30898] in Kerberos
RE: SASL authentication
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Fri Mar 20 03:38:00 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Date: Fri, 20 Mar 2009 15:36:59 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <49C2ECAF.4080405@anl.gov>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Cc: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Friday, March 20, 2009 9:09 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Ströder; kerberos@mit.edu
> Subject: Re: SASL authentication
>
> Start with:
> http://technet.microsoft.com/en-us/library/bb742433.aspx
> Then look for ksetup program and 2003.
> Also look at Samba for net join and windbind and also look
> for msktutil.
> Solaris has a script to do this
In reference to http://technet.microsoft.com/en-us/library/bb742433.aspx, it seems the only tool to use is ktpass. But the problem is, as I said before, I don't know which user to associate in creating the keytab file.
Anyway, I've given it a try. First, I created a user "ldapServer/Fair123" in ADS of sesswin2003. Then:
========================================================
C:> ktpass -princ ldap/sesswin2003.com@SESSWIN2003.COM -mapuser ldapServer -pass Fair123 -out ldap.keytab
========================================================
It finished smoothly. Then I ftp'ed it to the printer, which is LDAP client and Kerberos client. First I put it into "/etc/openldap", as suggested by http://aput.net/~jheiss/krbldap/howto.html.
But when I run "klist -k" in 98.190 to find the keytab file, it told me:
========================================================
qxu@durian(pts/3):/etc/openldap[7]$ ll *.keytab
-rw-r--r-- 1 root root 69 Mar 20 15:01 ldap.keytab
qxu@durian(pts/3):/etc/openldap[8]$ klist -k
Keytab name: FILE:/etc/krb5.keytab
klist: No such file or directory while starting keytab scan
========================================================
It seemed to try to find a file named "krb5.keytab".
OK, let's do it:
========================================================
qxu@durian(pts/3):/etc/openldap[9]$ sudo mv /etc/openldap/ldap.keytab /etc/krb5.keytab
Password:
qxu@durian(pts/3):/etc/openldap[10]$ cd /etc
qxu@durian(pts/3):/etc[11]$ ll krb*
-rw-r--r-- 1 root root 804 Mar 19 17:04 krb5.conf
-rw-r--r-- 1 root root 69 Mar 20 15:01 krb5.keytab
-rw-r--r-- 1 root root 143 Mar 19 16:34 krb.conf
qxu@durian(pts/3):/etc[12]$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 ldap/sesswin2003.com@SESSWIN2003.COM
========================================================
It looks good.
Then I tried to do Kerberos authentcation followed by ldapsearch:
========================================================
qxu@durian(pts/3):/etc[14]$ kinit -f qxu@SESSWIN2003.COM
Password for qxu@SESSWIN2003.COM:
qxu@durian(pts/3):/etc[15]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: qxu@SESSWIN2003.COM
Valid starting Expires Service principal
03/20/09 15:07:19 03/21/09 01:06:54 krbtgt/SESSWIN2003.COM@SESSWIN2003.COM
renew until 03/21/09 15:07:19
Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached
qxu@durian(pts/3):/etc[16]$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 ldap/sesswin2003.com@SESSWIN2003.COM
qxu@durian(pts/3):/etc[17]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
========================================================
To my dismay, it still doesn't work.
Any1 can shed some light on this?
Thanks,
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos