I don't know, if I got you right (I'm not quite good in networks and
especially AD; thats a new thing for me, so I'm a noob)

So I just ask again:
Douglas E. Engert wrote
> > I captured the request dialog with wireshark and got this

> (the things I think
> > are important):
> >
> > Realm: EXAMPLE.COM
> > Server Name (Unknown): krbtgt/COM
> > Name-type: Unknown (0)
> > Name: krbtgt
> > Name: COM

> This looks like cross realm, where the client is working its
> way up the realm
> tree to get the the realm of the server, say AD.DOMAIN.COM.
> Client is using TGT
> from EXAMPLE.COM to get TGT for realm COM (which does not
> exist) If it did, it
> would then try and get a TGT from COM for DOMAIN.COM, then
> get one from
> AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM.
> I thought you where trying to use Active Directory, and the
> domain name
> was something like ad.domain.com. So why does you unix system have
> a realm named EXAMPLE.COM? Have you setup cross realm trust
> between them?
> If you are not using cross-real, then you should be using the
> AD domain name as
> the realm name. It should have a realm named AD.DOMAIN.COM.
> Either the user and server must be in the same realm, or you
> need cross realm
> trust.

The domain/realm in AD is called example.com . My Unix-Client is
On running 'kinit proxyuser'
(the proxyuser is mapped to gate.example.com as Microsoft docu suggested)
I get a ticket that looks like this

[me@gate ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: proxyuser@EXAMPLE.COM

Valid starting Expires Service principal
11/16/07 13:11:24 11/16/07 23:08:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/17/07 13:11:24

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

So I assumed the TGT-Server is krbtgt/EXAMPLE.COM@EXAMPLE.COM and works fine.
I don't get, why ldapsearch is looking for krbtgt/COM and not

Should I rename the AD domain to ad.example.com or something like that? Is
that what you ment?

> I am assuming that you do not wish to reveal the actual names
> of the host,
> realms and AD domain you are using. This makes it very
> difficult to see what
> the real problem is.

So what kind of setup do you think is good for such tests? The setup I got
here is described in Microsoft's Windows Security and Directory Services for
UNIX (Vol. 2) guide. It's the only documentation I got on this problem. Do
you have some links or other information I could have a look at? The problem
I need to solve is: I should setup a VPN-gate that is able to authenticate
and authorize a user by looking him up in AD. Authentication should be based
on Kerberos, authorization on LDAP-groups. It worked fine with PAM+Kerberos
and simple bind for LDAP. Now there came the requirement to have a secure
LDAP connection (over Kerberos). And that is what I'm dealing with now. The
test setup works as long as I do not try to authenticate my LDAP client over
Kerberos. And I don't get why this is something different, than authenticate
a user on the gate using PAM and Kerberos...

> > Yes, I do have a krb5.conf on the unix side. Here it is:
> >
> > [libdefaults]
> > default_realm=EXAMPLE.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > # default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > # default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > kdc_timesync = 1
> > ccache_type = 4
> > forwardable = true
> > proxiable = true
> > # v4_instance_resolve = false
> > # v4_name_convert = {
> > [realms]
> > kdc =
> > admin_server =
> > }
> > [domain_realm]
> > .example.com = EXAMPLE.COM

> By default Kerberos will take a host name, and strip off the
> short name, and use the domain name as a realm name for the host.
> So add the other domains and or hosts here too.

What other domains do you mean? I have a UNIX client, which is
gate.example.com and an AD Server that is exapmle.com Maybe this is the
problem, because AD should be something like ad.example.com? Is that what you
ment above?


Evgeniy Zharovsky

Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen

email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de