> You should not need these.

Ok.


> Some things to try:
>
> Wireshare or other trace program to see DNS and Kerberos requests.
> This should show name of the "Server not found in Kerberos database"


I captured the request dialog with wireshark and got this (the things I think
are important):

MSG Type: KRB-ERROR
Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EXAMPLE.COM
Server Name (Unknown): krbtgt/COM
Name-type: Unknown (0)
Name: krbtgt
Name: COM
I guess that indicates an error in my krbtgt setup. But where should I search
for it and what does the right setup look like?

> On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf?
> Is the default realm (in uppercase) the same as the AD domain name?
> if not, you may need a krb5.conf, or the -R option on ldapsearch.


Yes, I do have a krb5.conf on the unix side. Here it is:

[libdefaults]
default_realm=EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# v4_instance_resolve = false
# v4_name_convert = {
[realms]
EXAMPLE.COM = {
kdc = 192.168.10.4:88
admin_server = 192.168.10.4:749
}
[domain_realm]
.example.com = EXAMPLE.COM

As you can see, it is a setup for some tests...
-----------------

Evgeniy Zharovsky

Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen

email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de