I don't know, if I got you right (I'm not quite good in networks and
especially AD; thats a new thing for me, so I'm a noob)

So I just ask again:
Douglas E. Engert wrote
> > I captured the request dialog with wireshark and got this

> (the things I think
> > are important):
> >
> > MSG Type: KRB-ERROR
> > Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> > Realm: EXAMPLE.COM
> > Server Name (Unknown): krbtgt/COM
> > Name-type: Unknown (0)
> > Name: krbtgt
> > Name: COM

>
> This looks like cross realm, where the client is working its
> way up the realm
> tree to get the the realm of the server, say AD.DOMAIN.COM.
> Client is using TGT
> from EXAMPLE.COM to get TGT for realm COM (which does not
> exist) If it did, it
> would then try and get a TGT from COM for DOMAIN.COM, then
> get one from
> AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM.
>
> I thought you where trying to use Active Directory, and the
> domain name
> was something like ad.domain.com. So why does you unix system have
> a realm named EXAMPLE.COM? Have you setup cross realm trust
> between them?
>
> If you are not using cross-real, then you should be using the
> AD domain name as
> the realm name. It should have a realm named AD.DOMAIN.COM.
> Either the user and server must be in the same realm, or you
> need cross realm
> trust.


The domain/realm in AD is called example.com . My Unix-Client is
gate.exaple.com
On running 'kinit proxyuser'
(the proxyuser is mapped to gate.example.com as Microsoft docu suggested)
I get a ticket that looks like this

[me@gate ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: proxyuser@EXAMPLE.COM

Valid starting Expires Service principal
11/16/07 13:11:24 11/16/07 23:08:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/17/07 13:11:24


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

So I assumed the TGT-Server is krbtgt/EXAMPLE.COM@EXAMPLE.COM and works fine.
I don't get, why ldapsearch is looking for krbtgt/COM and not
krbtgt/EXAMPLE.COM@EXAMPLE.COM.

Should I rename the AD domain to ad.example.com or something like that? Is
that what you ment?

> I am assuming that you do not wish to reveal the actual names
> of the host,
> realms and AD domain you are using. This makes it very
> difficult to see what
> the real problem is.


So what kind of setup do you think is good for such tests? The setup I got
here is described in Microsoft's Windows Security and Directory Services for
UNIX (Vol. 2) guide. It's the only documentation I got on this problem. Do
you have some links or other information I could have a look at? The problem
I need to solve is: I should setup a VPN-gate that is able to authenticate
and authorize a user by looking him up in AD. Authentication should be based
on Kerberos, authorization on LDAP-groups. It worked fine with PAM+Kerberos
and simple bind for LDAP. Now there came the requirement to have a secure
LDAP connection (over Kerberos). And that is what I'm dealing with now. The
test setup works as long as I do not try to authenticate my LDAP client over
Kerberos. And I don't get why this is something different, than authenticate
a user on the gate using PAM and Kerberos...

> > Yes, I do have a krb5.conf on the unix side. Here it is:
> >
> > [libdefaults]
> > default_realm=EXAMPLE.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > # default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > # default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> > # v4_instance_resolve = false
> > # v4_name_convert = {
> > [realms]
> > EXAMPLE.COM = {
> > kdc = 192.168.10.4:88
> > admin_server = 192.168.10.4:749
> > }
> > [domain_realm]
> > .example.com = EXAMPLE.COM

>
> By default Kerberos will take a host name, and strip off the
> short name, and use the domain name as a realm name for the host.
> So add the other domains and or hosts here too.
>

What other domains do you mean? I have a UNIX client, which is
gate.example.com and an AD Server that is exapmle.com Maybe this is the
problem, because AD should be something like ad.example.com? Is that what you
ment above?


-----------------

Evgeniy Zharovsky

Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen

email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de