[33254] in Kerberos
trouble with msktutil and Windows 2008 AD
daemon@ATHENA.MIT.EDU (Rohit Kumar Mehta)
Tue Mar 8 10:18:25 2011
Message-ID: <4D7648E7.1090300@engr.uconn.edu>
Date: Tue, 8 Mar 2011 10:19:03 -0500
From: Rohit Kumar Mehta <rohitm@engr.uconn.edu>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
From reading this list, it seems like msktutil is a much better
solution for managing Linux service principles in an AD than using
KTPASS.EXE. However, I seem to be having some difficulties.
I set up a test AD with the domain TAD.ENGR.UCONN.EDU, and I'm trying to
create some service principles for my test-nfs server. So on my test
Linux server (running Ubuntu Lucid), I downloaded msktutil from git (I
believe version 0.4), compiled, did a kinit
Administrator@TAD.ENGR.UCONN.EDU, and then tried to run msktutil. This
is what I get:
root@test-nfs:~/build/f/msktutil# ./msktutil --precreate --hostname
test-nfs.tad.engr.uconn.edu -s host -s nfs --server 137.99.15.89 --verbose
-- init_password: Wiping the computer password structure
-- get_default_keytab: Obtaining the default keytab name:
FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-mc2Qvi
-- reload: Reloading Kerberos Context
-- get_short_hostname: Determined short hostname: test-nfs
-- finalize_exec: SAM Account Name is: test-nfs$
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=YES
-- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
-- ~KRB5Context: Destroying Kerberos Context
root@test-nfs:~/build/f/msktutil#
Looking at wireshark I see a bunch of errors like
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. It looks like msktutil is trying to
connect get authorized for this service
ldap/test-dc1.tad.engr.uconn.edu. Given that Microsoft Active Directory
provides LDAP. I'm not sure why that is a problem.
Am I doing anything obviously wrong? If so I appreciate any help. Thanks!
Rohit
--
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031
Office: (860) 486 - 2331
Fax: (860) 486 - 1273
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
