• Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (5)

1 localhost commented Permalink

Hello all

After finally getting Kerberos authenticating against Win2003-AD, I've stumbled into the next issue.But first things first: how I got it to work.A helpfull Step-By-Step howto I found <a href="http://www.pseriestech.org/forum/tutorials/microsoft-windows-2003-active-directory-integration-65.html?garpg=4#content_start" target="_blank">here</a>.Yet...After receiving errors like the follwoing, which can be a bit tidious to track down.For example, if kinit -kt /etc/krb5/krb5.keytab <principal-name> gives you an error like:<pre>Unable to obtain initial credentials. Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out. </pre>then ...
I'd like to share some points, so others might benefit ...<ul><li>Absolutly important is, that all machines in the network resolve their names alike (DNS-resolve).Watch out on AIX for the environment variable NSORDER.If your local /etc/hosts file resolves first the short name on the ip adress, and your NSORDER is set to "local,bind", you'll not succeed, if your DNS resolves it as "machine.domain.tld".</li><li>Have the keytab-File generated by the Windows AD administrator with the newest ktpass.exe. There is a bug in some versions, which create an unusable keytab file (see <a href="http://support.microsoft.com/kb/919557" target="_blank">support.microsoft.com/kb/919557</a>).Alternatively, you can pull your keytab informations yourself from the AD. <ul>First you need to find out which is the correct kvno (KeyVersionNumber) of your principal.<li> /usr/krb5/bin/kvno <principal-name> will give you a number.Start ktutil ($KVNO would be the KeyVersionNumber from previous step.)<li>ktutil<li>ktutil: addent -password -p <principal-name> -k $KVNO -e des-cbc-md5 view the received credential<li>ktutil: listand to save that credential into the keytab file:<li>ktutil: wkt /etc/krb5/krb5.keytab<li>ktutil: quitneedless to say, that you need to know the assigned password for that principal</ul>Then <pre>kinit -kt /etc/krb5/krb5.keytab <principal-name></pre> should give you a credential. This you can see with <pre>klist</pre> and you're set.</ul>IF this is still not working, you might want to go through the steps, Sandeep has given me. I hope it's ok with you Sandeep, that I post them here. If not, you're free to edit my post and take them out.<blockquote><ul><li>i) From your AIX box, run "/usr/krb5/bin/kinit <any windows user from that active directory whose pwd you know>" and check if you are getting the ticket without involving the keytab. If it works, it indicates that the KDC is being properly reached. <li>ii) From your AIX box, run kinit directly against the user/service against whom the HOST/machine.domain.tld principal was mapped on the Active directory ( as in Active directory one cannot have host/service principal and hence are mapped to some existing Kerberos principal) "/usr/krb5/bin/kinit <original mapping user/service>" If this prompts for the password, it confirms that KDC is reached. If you know the password ( which I guess you should be as you its required to map it to the Unix service) please enter it. If this works then the problem is in mapping the principal which was done on the Windows machine; which is what I am suspecting at this moment ( with the information I have) <li>iii) Run "/usr/krb5/bin/kvno <original principal to which the service is mapped to>" ; This will go to the KDC and get the key version number , which should match with the keytab. In you case it should return 3, if the keytab is correctly made. iii) May not be causing the problem , but make sure that the default domain being entered in krb5.conf is in proper case on windows as well as AIX machine. <li>iv) If the problem still surfaces, run through the following article which will help gives serviceability logs. http://www.ibm.com/developerworks/aix/library/au-nas_auditing/ </ul></blockquote>In addition concerning the DNS-resolve, I have in my krb5.conf, in the libdefaults section the following two lines:<pre>dns_lookup_kdc = true dns_lookup_realm = true </pre>
So far, how I got my AIX machine to get valid credentials from the Win-AD-server.
Now, I come to my next issue. We want to setup AIX FastConnect, using the option of authenticating through Kerberos on the AD.But here now, within the communication of that process between FastConnect and the krb5.client, I get the following error:<pre>Feb 27 09:45:35 machine user:debug syslog: GSS-API message 4. gss_accept_sec_context FAILED.: Miscellaneous failureFeb 27 09:45:35 machine user:debug syslog: GSS-API message 4. gss_accept_sec_context FAILED.: Wrong principal in requestFeb 27 09:45:35 machine user:debug syslog: ERROR: Wrong principal in requestFeb 27 09:45:35 machine user:debug syslog: cifs_gss_validate_user() failed</pre>
I did set some debug options in /etc/rc.cifs, with wich I start FastConnect.These options set, it will cause krb5.client to write debugging messages.<ul><li> export _KRB5_SVC_MSG_LEVEL=VERBOSE<li> export _KRB5_SVC_DBG_MSG_LOGGING=1<li> export _KRB5_SVC_MSG_LOGGING=STDERR_LOGGING<li> export _KRB5_SVC_DBG=*.9<li> export _KRB5_SVC_DBG_FILENAME=/var/krb5/log/krb5stdout.log<li> export _KRB5_SVC_STDERR_FILENAME=/var/krb5/log/krb5stderr.log</ul>
Current status is, that I have opened a PMR with IBM. They are investigating the subject...
Thanks for all your help, hints and support.
Happy kerbering ;-)
Lukas<small>--Suva Abteilung Informatik Bereich System-Services Lukas Wymann Systemspezialist Postfach 4358 Rösslimattstrasse 39 6002 Luzern <small>

2 localhost commented Permalink


ooops... I'm sorry about these html-codes.Hmmm... Allthough it says html syntax enabled, and the preview shows it as such (nicely formatted the way I intended), the click on the post....well, the result you see abouve..
Maybe someone can correct the posting procedure, or the hint HTML Syntax NOT enabled or even correct my post?!? ;-)
happy 'puting,Lukas

3 localhost commented Permalink

Hi Lukas,

Are you using:
dns_lookup_kdc = true dns_lookup_realm = true
With NAS?
Even I discovered some no documented options, I would like to know if NAS is able to use this options.
Also it would be nice to update and document all the valid options we can use.
Only a general question for all:
What is used for kadmin/admin principal? I have seen that is used when you forward your credentials, but I don't understand very well how it is working.
Thanks for your post.

4 localhost commented Permalink

No, IBM Network Authentication Service does not support dns_lookup_kdc = true dns_lookup_realm = true

Though it supports ldap based lookups.

5 linxi commented Permalink

If you are looking for online cheapest real nike shox, or varieties of wholesale cheapest real nike shox, we strongly recommed you to buy from us; we assure you not only cheap price sale but high quality.Here you could buy from us of our big discount all kinds of different real nike shox shoes,which are with super high quality and very lowest price.Could you pls not miss? You may get a big surprise here.Thanks for your shopping.big discount real nike shox,big discount real nike shox,cheapest real nike shox,cheapest real nike shox,big discount real nike shox

Add a Comment Add a Comment