[24557] in Kerberos

home help back first fref pref prev next nref lref last post

Re: kerberos authentication doesn't work agsint windows 2003 AD...

daemon@ATHENA.MIT.EDU (Kent Wu)
Tue Aug 30 19:08:21 2005

From: Kent Wu <kwu@xsigo.com>
To: kerberos@mit.edu
In-Reply-To: <1125368029.11580.10.camel@jurassic.mvcorp.xsigo.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Tue, 30 Aug 2005 16:07:23 -0700
Message-Id: <1125443243.11580.26.camel@jurassic.mvcorp.xsigo.com>
Mime-Version: 1.0
Errors-To: kerberos-bounces@mit.edu

Hi guys,

	Thanks for all the inputs I've got so far. And 
I've figured out the reason behind it. The reason is that
in the last ldap_sasl_bind_s() step, AD 2000 accepts the 
DN format like "kwu@blabla.COM" however AD 2003 only 
accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
Not sure why AD 2003 wants to change this criterion however 
after I used the latter format it was working fine. 

	The error message "Invalid credentials" was 
referring to the wrong DN instead of bad password/key. 
I was thinking in the total opposite direction before and 
all of sudden I came across this "wrong DN" idea!

Cheers.

-Kent

On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:
> Hi guys,
> 
> I used to write a program to authenticate 
> users against windows 2000 AD by using MIT 
> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically 
> what I did is to authenticate users against AD by 
> using kerberos before doing LDAP search operations. 
> It was working perfectly until I wanted to migrate the 
> 2000 AD to 2003 a wk ago. 
> 
> While doing kerberos authentication against 
> AD 2003, the last step of ldap_sasl_bind_s() always 
> returns "invalid credentials" even though I've successfully 
> got TGT as well as the service ticket for LDAP (AD 2003). If
> I type "klist" right before the last ldap_sasl_bind_s() step, 
> I can see the followings and it's looking look.
> 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> 
> Default principal: KWU@DOMAIN
> 
> Valid starting     Expires            Service principal
> 08/29/05 18:09:59  08/30/05 04:09:59  krbtgt/DOMAIN@DOMAIN
>         renew until 08/30/05 18:09:59
> 08/29/05 18:10:01  08/30/05 04:09:59  ldap/AD-HOSTNAME.DOMAIN@DOMAIN
>         renew until 08/30/05 18:09:59
> 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
> 
> However it still fails in the last ldap_sasl_bind_s() call.
> 
> My calling sequence is like this: 
> 
> 1. use Kerberos APIs to get/store TGT.
> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
> (ldap_sasl_bind_s()) to engage kerberos authentication. 
> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it 
> requires a loop (a couple of handshaking steps) to complete
> the whole authentication process. It was working all good until
> the last ldap_sasl_bind_s() call....
> 
> I've looked high and low on the internet and tried variety of 
> configurations in both client and server side however ended up
> nothing. It's so weird that it works fine with AD 2000 but not 
> 2003....
> 
> Can anyone help me out by sharing his/her own experience or 
> pointing me to the right direction?
> 
> Thanks a lot in advance !
> 
> -Kent
> 
> 
> 
> 
> 
-- 
Kent Wu <kwu@xsigo.com>
XSIGO INC.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post