[24557] in Kerberos
Re: kerberos authentication doesn't work agsint windows 2003 AD...
daemon@ATHENA.MIT.EDU (Kent Wu)
Tue Aug 30 19:08:21 2005
From: Kent Wu <kwu@xsigo.com>
To: kerberos@mit.edu
In-Reply-To: <1125368029.11580.10.camel@jurassic.mvcorp.xsigo.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Tue, 30 Aug 2005 16:07:23 -0700
Message-Id: <1125443243.11580.26.camel@jurassic.mvcorp.xsigo.com>
Mime-Version: 1.0
Errors-To: kerberos-bounces@mit.edu
Hi guys,
Thanks for all the inputs I've got so far. And
I've figured out the reason behind it. The reason is that
in the last ldap_sasl_bind_s() step, AD 2000 accepts the
DN format like "kwu@blabla.COM" however AD 2003 only
accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
Not sure why AD 2003 wants to change this criterion however
after I used the latter format it was working fine.
The error message "Invalid credentials" was
referring to the wrong DN instead of bad password/key.
I was thinking in the total opposite direction before and
all of sudden I came across this "wrong DN" idea!
Cheers.
-Kent
On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:
> Hi guys,
>
> I used to write a program to authenticate
> users against windows 2000 AD by using MIT
> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
> what I did is to authenticate users against AD by
> using kerberos before doing LDAP search operations.
> It was working perfectly until I wanted to migrate the
> 2000 AD to 2003 a wk ago.
>
> While doing kerberos authentication against
> AD 2003, the last step of ldap_sasl_bind_s() always
> returns "invalid credentials" even though I've successfully
> got TGT as well as the service ticket for LDAP (AD 2003). If
> I type "klist" right before the last ldap_sasl_bind_s() step,
> I can see the followings and it's looking look.
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> Default principal: KWU@DOMAIN
>
> Valid starting Expires Service principal
> 08/29/05 18:09:59 08/30/05 04:09:59 krbtgt/DOMAIN@DOMAIN
> renew until 08/30/05 18:09:59
> 08/29/05 18:10:01 08/30/05 04:09:59 ldap/AD-HOSTNAME.DOMAIN@DOMAIN
> renew until 08/30/05 18:09:59
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> However it still fails in the last ldap_sasl_bind_s() call.
>
> My calling sequence is like this:
>
> 1. use Kerberos APIs to get/store TGT.
> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
> (ldap_sasl_bind_s()) to engage kerberos authentication.
> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
> requires a loop (a couple of handshaking steps) to complete
> the whole authentication process. It was working all good until
> the last ldap_sasl_bind_s() call....
>
> I've looked high and low on the internet and tried variety of
> configurations in both client and server side however ended up
> nothing. It's so weird that it works fine with AD 2000 but not
> 2003....
>
> Can anyone help me out by sharing his/her own experience or
> pointing me to the right direction?
>
> Thanks a lot in advance !
>
> -Kent
>
>
>
>
>
--
Kent Wu <kwu@xsigo.com>
XSIGO INC.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos