[30910] in Kerberos
RE: SASL authentication
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Mon Mar 23 05:33:12 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 23 Mar 2009 17:31:49 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172905443BEA@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <9vmd96-1dp.ln1@nb2.stroeder.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: kerberos-bounces@mit.edu
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Michael Str?der
> Sent: Saturday, March 21, 2009 7:55 AM
> To: kerberos@mit.edu
> Subject: Re: SASL authentication
>
> You create a user with a sAMAccountName and a
> userPrincipalName (LDAP attribute names) and then use this
> userPrincipalName as parameter for kinit. LDAP-bind with
> SASL/GSSAPI will automagically obtain a service ticket. See
> my local test with OpenLDAP command-line tool below (all
> names manually obfuscated).
>
> If something fails check your DNS and /etc/krb5.conf
> especially regarding enc types.
Yes, now I am also suspecting something is wrong with DNS settings. But I don't know how to check them. Could you give me some examples?
The following is the content of my /etc/krb5.conf:
=======================================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = durian.fujixerox.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SESSWIN2003.COM = {
kdc = 13.198.98.35:88
default_domain = sesswin2003.com
}
durian.fujixerox.com = {
kdc = kerberos.durian.fujixerox.com:88
admin_server = kerberos.durian.fujixerox.com:749
}
[domain_realm]
.sesswin2003.com = SESSWIN2003.COM
sesswin2003.com = SESSWIN2003.COM
durian.fujixerox.com = durian.fujixerox.com
.durian.fujixerox.com = durian.fujixerox.com
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
=======================================
In this configuration file, "durian" is the hostname of the client machine. Is there anything wrong with it?
Thanks,
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos