[kerberos-discuss] host certificate renewal requires ldap client to be restarted

David Bond Wed, 29 Jul 2009 05:59:12 PDT

Thanks for your help on this, and sorry for not replying sooner, being in 
norway, different timezones and then i had a few meetings today.


First with netstat, when there is a problem with the authentication, netstat 
doesnt work, it hangs after listing the column names.

if i touch the resolv.conf file, netstat starts to respond. So looks like i 
cant provide a list when the problem occurs, only right after it starts to, 
which is attached.

With the ldap configuration, what would be your recommendation be for its 
configuration.

I dont not want a configuration where there is a specific ldap account used to 
authenticate the logons, I would like it to use the users credentials to 
authenticate against AD. This connection should also be secure, so doesnt 
expose any of the usernames or passwords. The bigadmin document was the only 
one that i found which appeared to do this for me, I have found it difficault 
to locate example configurations that appear to be secure.

>I also question the wisdom of using:
>NS_LDAP_CREDENTIAL_LEVEL= self
 and
>This also says:
>"THE SOLUTION DESCRIBED IN THIS PAPER SHOULD BE TREATED AS PROOF OF
>CONCEPT AND SHOULD NOT BE USED IN PRODUCTION"

Well thats on most implementation guides isnt it :), and it will be changed for 
my environment when finished, but if you think that its not actually a good way 
to go about the authentication, i would really like some help in getting 
another way set up.

Doing a klist after the tickets are renewed shows that the service principal 
tickets are also renewed.

These problems have been replicated on multiple installations and domains. I 
have setup a test domain at home, installed windows 2003 R2, did a dcpromo, 
installed the unix utils to add the snapin for active diretory and added a user 
with unix properties, and made sure the reverse lookups were in the DNS. Then 
installed opensolaris and configured it as in that documentation. So it is easy 
to replicate.

thanks
-- 
This message posted from opensolaris.org
-------------- next part --------------

TCP: IPv4
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q    State
-------------------- -------------------- ----- ------ ----- ------ -----------
FORCE.microsoft-ds   172.16.40.15.3990    64350      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4194    64403      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4213    64350      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4233    64403      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4237    64350      0 49640      0 CLOSE_WAIT
FORCE.netbios-ssn    172.16.40.15.4244    64399      0 49640      0 CLOSE_WAIT
FORCE.netbios-ssn    172.16.40.15.4254    64346      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4256    64403      0 49640      0 CLOSE_WAIT
FORCE-bnx0.52711     cd1.development01.tag.no.ldap 64112      0 49640      0 
CLOSE_WAIT
FORCE.netbios-ssn    172.16.40.15.4783    64346      0 49640      0 CLOSE_WAIT
FORCE.netbios-ssn    172.16.40.15.4797    64399      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4815    64350      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4829    64403      0 49640      0 CLOSE_WAIT
FORCE.ssh            172.16.40.15.1449    63884      0 49640      0 ESTABLISHED
FORCE.microsoft-ds   172.16.40.15.4840    64350      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4853    64403      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4882    64350      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.4896    64403      0 49640      0 CLOSE_WAIT
FORCE.ssh            172.16.40.15.3188    63532     51 49640      0 ESTABLISHED
FORCE.microsoft-ds   172.16.40.15.4901    64350      0 49640      0 CLOSE_WAIT
FORCE.netbios-ssn    172.16.40.15.4950    64399      0 49640      0 CLOSE_WAIT
FORCE-bnx0.52317     cd2.development01.tag.no.microsoft-ds 65149      0 49640   
   0 ESTABLISHED
FORCE.netbios-ssn    172.16.40.15.3814    64346      0 49640      0 CLOSE_WAIT
FORCE.netbios-ssn    172.16.40.15.3837    64399      0 49640      0 CLOSE_WAIT
FORCE.microsoft-ds   172.16.40.15.3964    64350      0 49640      0 CLOSE_WAIT
FORCE.59759          cd1.development01.tag.no.ldap 65528      0 49640      0 
TIME_WAIT
FORCE.36886          cd2.development01.tag.no.ldap 65528      0 49640      0 
TIME_WAIT
FORCE.34389          cd1.development01.tag.no.ldap 65528      0 49640      0 
TIME_WAIT
FORCE.59619          cd2.development01.tag.no.ldap 65528      0 49640      0 
TIME_WAIT
FORCE.microsoft-ds   172.16.40.15.3975    64403      0 49640      0 CLOSE_WAIT

Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
ffffff02d783d388 stream-ord 0000000 0000000 /tmp/.X11-unix/X0
ffffff02d783d6f0 stream-ord 0000000 ffffff02e4c89a80                
/tmp/.X11-unix/X0
ffffff02d783da58 stream-ord 0000000 0000000 /tmp/.X11-unix/X0
ffffff02d783ddc0 stream-ord 0000000 ffffff02e4c89a80                
/tmp/.X11-unix/X0
ffffff02d783e128 stream-ord 0000000 0000000 /tmp/.X11-unix/X0
ffffff02d783e490 stream-ord 0000000 ffffff02e4c89a80                
/tmp/.X11-unix/X0
ffffff02d783e7f8 stream-ord 0000000 0000000 /var/run/dbus/system_bus_socket
ffffff02d783eb60 stream-ord ffffff02e4c89a80 0000000 /tmp/.X11-unix/X0
ffffff02e2a8b018 stream-ord ffffff02e494f280 0000000 /var/run/gdm_socket
ffffff02e2a8b380 stream-ord 0000000 ffffff02e2a55200                
/var/run/dbus/system_bus_socket
ffffff02e2a8b6e8 stream-ord ffffff02e100d980 0000000 /var/run/.inetd.uds
ffffff02e2a8ba50 stream-ord 0000000 0000000 /var/run/dbus/system_bus_socket
ffffff02e2a8bdb8 stream-ord 0000000 ffffff02e2a55200                
/var/run/dbus/system_bus_socket
ffffff02e2a8c120 stream-ord 0000000 0000000 /var/run/dbus/system_bus_socket
ffffff02e2a8c488 stream-ord 0000000 0000000 /var/run/dbus/system_bus_socket
ffffff02e2a8c7f0 stream-ord ffffff02d78c0440 0000000 /var/run/mDNSResponder
ffffff02e2a8cb58 dgram      ffffff02e2998340 0000000 /var/run/in.rdisc_mib
ffffff02e2a99010 stream-ord 0000000 0000000 /var/run/hald/dbus-3NAHLx7rRf
ffffff02e2a99378 stream-ord 0000000 ffffff02e2caec00                
/var/run/hald/dbus-3NAHLx7rRf
ffffff02e2a996e0 stream-ord 0000000 ffffff02e2a55200                
/var/run/dbus/system_bus_socket
ffffff02e2a99a48 stream-ord 0000000 ffffff02e2a55200                
/var/run/dbus/system_bus_socket
ffffff02e2a99db0 stream-ord 0000000 0000000 /var/run/hald/dbus-3NAHLx7rRf
ffffff02e2a9a118 stream-ord 0000000 0000000 /var/run/hald/dbus-3NAHLx7rRf
ffffff02e2a9a480 stream-ord 0000000 ffffff02e2caec00                
/var/run/hald/dbus-3NAHLx7rRf
ffffff02e2a9a7e8 stream-ord 0000000 ffffff02e2caec00                
/var/run/hald/dbus-3NAHLx7rRf
ffffff02e2a9ab50 dgram      ffffff02e402fa80 0000000 /var/run/in.ndpd_mib
ffffff02e26e5008 stream-ord 0000000 0000000 /var/run/hald/dbus-3NAHLx7rRf
ffffff02e26e5370 stream-ord 0000000 ffffff02e2caec00                
/var/run/hald/dbus-3NAHLx7rRf
ffffff02e26e56d8 stream-ord 0000000 0000000 /var/run/hald/dbus-eKgSzn8WbQ
ffffff02e26e5a40 stream-ord 0000000 ffffff02e2cc6a80                
/var/run/hald/dbus-eKgSzn8WbQ
ffffff02e26e5da8 stream-ord ffffff02e2cc6a80 0000000 
/var/run/hald/dbus-eKgSzn8WbQ
ffffff02e26e6110 stream-ord 0000000 0000000
ffffff02e26e6478 stream-ord 0000000 0000000
ffffff02e26e67e0 stream-ord ffffff02e2caec00 0000000 
/var/run/hald/dbus-3NAHLx7rRf
ffffff02e26e6b48 stream-ord ffffff02e2a55200 0000000 
/var/run/dbus/system_bus_socket

[kerberos-discuss] host certificate renewal requires ldap client to be restarted

Reply via email to