Kerberos/SASL/LDAP/Windows - Message Stream Modified - Kerberos

This is a discussion on Kerberos/SASL/LDAP/Windows - Message Stream Modified - Kerberos ; Hi folks, I'm trying to implement a SSO solution so that my Unix systems can authenticate off my Windows Server 2003 R2 domain controllers. I liked this approach because it's secure, doesn't necessarily need the extra overhead of SSL/TLS, and ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kerberos/SASL/LDAP/Windows - Message Stream Modified

  1. Kerberos/SASL/LDAP/Windows - Message Stream Modified


    Hi folks,

    I'm trying to implement a SSO solution so that my Unix systems can
    authenticate off my Windows Server 2003 R2 domain controllers. I liked this
    approach because it's secure, doesn't necessarily need the extra overhead of
    SSL/TLS, and I don't have to put a bind user's password in the ldap.conf
    file. I have tried following instructions on several websites, including
    these forums on Nabble as well as a Microsoft document:

    http://www.microsoft.com/technet/its...w/08wsdsu.mspx

    In any case, I feel like I'm pretty close to getting it working, but I keep
    getting a nagging error message in /var/log/messages:

    GSSAPI error: miscellaneous failure (message stream modified)

    I created a user account in AD for the Linux system, then I used ktpass to
    generate a key table, then copied that to /etc/krb5.keytab on the Linux box.
    I can run "kinit -k" to get a TGT from AD without having to supply a
    password, and I can see the AD accounts when I run 'getent passwd', but I
    cannot ssh as an AD user.

    When this failed, I tried Microsoft's suggestion to use css_adkadmin to
    create the account and keytab from the Linux system, but this also resulted
    in the same problem.

    Here is my krb5.conf for your viewing pleasure:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc

    [realms]
    EXAMPLE.COM = {
    kdc = exampledc1.example.com:88
    kdc = exampledc2.example.com:88
    admin_server = exampledc1.example.com:749
    default_domain = example.com
    }

    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    validate = true
    }

    And here is my ldap.conf (comments excluded):

    host 192.168.1.11 192.168.1.12
    base dc=example,dc=com
    use_sasl on
    rootuse_sasl yes
    krb5_ccname /tmp/krb5cc_0
    sasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com
    rootsasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com
    scope sub
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_base_passwd dc=example,dc=com?sub
    nss_base_shadow dc=example,dc=com?sub
    nss_base_group dc=example,dc=com?sub
    nss_map_objectclass posixAccount user
    nss_map_objectclass shadowAccount user
    nss_map_attribute uid sAMAccountName
    nss_map_attribute homeDirectory unixHomeDirectory
    nss_map_attribute shadowLastChange pwdLastSet
    nss_map_objectclass posixGroup group
    nss_map_attribute uniqueMember member
    nss_map_attribute gecos cn
    pam_login_attribute sAMAccountName
    pam_filter objectclass=User
    pam_password ad
    sasl_secprops maxssf=0
    ssl no

    I have tried using the bundled versions of Kerberos 5, Cyrus-SASL, OpenLDAP,
    and PADL's nss_ldap. I have also downloaded and installed the latest
    versions of the above software, but the error message still showed up. Any
    ideas???

    Thanks,
    Kevin
    --
    View this message in context: http://www.nabble.com/Kerberos-SASL-....html#a6618355
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos/SASL/LDAP/Windows - Message Stream Modified


    Followup: I'm still seeing the "message stream modified" error on Linux. I
    turned on debugging in the ldap.conf file to get some more details. I ran
    "getent passwd", which attempts a SASL/GSSAPI bind to Active Directory.
    Looking through the verbose messages on the screen, everything looks OK
    except for one thing:

    Unable to chase referral
    "ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com"
    (Local error)

    I've tried starting over and creating new Kerberos key tables, and I've
    tried recompiling the PADL nss_ldap software (though I don't think it's an
    LDAP issue - simple binds work great).

    FYI - I got this working correctly with Solaris 9, so I'm pretty sure the
    problem is not my domain controllers (but I could be wrong).

    Thanks,
    Kevin

    --
    View this message in context: http://www.nabble.com/Kerberos-SASL-....html#a6797937
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Kerberos/SASL/LDAP/Windows - Message Stream Modified

    I have seen the "message stream modified" message in cases where two AD DC's
    didn't synchronise correctly and had one had corrupted DES keys.

    Markus

    "degnan78" wrote in message
    news:6797937.post@talk.nabble.com...
    >
    > Followup: I'm still seeing the "message stream modified" error on Linux.
    > I
    > turned on debugging in the ldap.conf file to get some more details. I ran
    > "getent passwd", which attempts a SASL/GSSAPI bind to Active Directory.
    > Looking through the verbose messages on the screen, everything looks OK
    > except for one thing:
    >
    > Unable to chase referral
    > "ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com"
    > (Local error)
    >
    > I've tried starting over and creating new Kerberos key tables, and I've
    > tried recompiling the PADL nss_ldap software (though I don't think it's an
    > LDAP issue - simple binds work great).
    >
    > FYI - I got this working correctly with Solaris 9, so I'm pretty sure the
    > problem is not my domain controllers (but I could be wrong).
    >
    > Thanks,
    > Kevin
    >
    > --
    > View this message in context:
    > http://www.nabble.com/Kerberos-SASL-....html#a6797937
    > Sent from the Kerberos - General mailing list archive at Nabble.com.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread