Hi folks,

I'm trying to implement a SSO solution so that my Unix systems can
authenticate off my Windows Server 2003 R2 domain controllers. I liked this
approach because it's secure, doesn't necessarily need the extra overhead of
SSL/TLS, and I don't have to put a bind user's password in the ldap.conf
file. I have tried following instructions on several websites, including
these forums on Nabble as well as a Microsoft document:

http://www.microsoft.com/technet/its...w/08wsdsu.mspx

In any case, I feel like I'm pretty close to getting it working, but I keep
getting a nagging error message in /var/log/messages:

GSSAPI error: miscellaneous failure (message stream modified)

I created a user account in AD for the Linux system, then I used ktpass to
generate a key table, then copied that to /etc/krb5.keytab on the Linux box.
I can run "kinit -k" to get a TGT from AD without having to supply a
password, and I can see the AD accounts when I run 'getent passwd', but I
cannot ssh as an AD user.

When this failed, I tried Microsoft's suggestion to use css_adkadmin to
create the account and keytab from the Linux system, but this also resulted
in the same problem.

Here is my krb5.conf for your viewing pleasure:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
default_tkt_enctypes = des-cbc-md5 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = exampledc1.example.com:88
kdc = exampledc2.example.com:88
admin_server = exampledc1.example.com:749
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}

And here is my ldap.conf (comments excluded):

host 192.168.1.11 192.168.1.12
base dc=example,dc=com
use_sasl on
rootuse_sasl yes
krb5_ccname /tmp/krb5cc_0
sasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com
rootsasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group dc=example,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_map_attribute gecos cn
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
sasl_secprops maxssf=0
ssl no

I have tried using the bundled versions of Kerberos 5, Cyrus-SASL, OpenLDAP,
and PADL's nss_ldap. I have also downloaded and installed the latest
versions of the above software, but the error message still showed up. Any
ideas???

Thanks,
Kevin
--
View this message in context: http://www.nabble.com/Kerberos-SASL-....html#a6618355
Sent from the Kerberos - General mailing list archive at Nabble.com.

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos