We've got a corporate Active Directory, with a root domain used to keep some service and security accounts as wel as some server with the infrastructure FSMO roles (Schema Master, Domain Naming Master, Infrastructure Master,...). On a child domain, we've got the servers, computers and users. We are trying to be able to authenticate users and services also on our UNIX machines, so we can give some kind of Single Sign On for the few users (basically in the IT department) wich use the UNIX machines, and specially be able to offer UNIX services to the users without having to asked them for a user and password once they are loged to the AD.
I've followed both Microsoft and MIT papers, and from a NetBSD box and SuSE box I've got the same problem. I can kinit from a user and get a ticket from the AD for the user with the same name (or use kinit username) and works perfectly. But it seems service and hosts mapping doesn't work. I've created an account for my host and for the ksu service as explaind in Msft. papers, but I get the following error:
ksu: Server not found in Kerberos database while geting credentials from kdc
Authentication failed.
But ksu is in krb5.keytab, imported from AD with ktpass:
idaho.solmelia.corp:/home/chpl000# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 host/[EMAIL PROTECTED]
2 1 ksu/[EMAIL PROTECTED]
ktutil:
OTOH, login.krb5 does work perfectly: idaho.solmelia.corp:~$ /usr/pkg/sbin/login.krb5 login: chpl000 Password for chpl000: Last login: Wed Nov 12 11:52:03 on ttyp0 NetBSD 1.6.2_RC1 (LATITUDE.IP4) #0: Tue Nov 4 12:11:07 CET 2003
Welcome to NetBSD!
You have mail. Disk quotas for user chpl000 (uid 1000): none idaho.solmelia.corp:~$ klist Ticket cache: FILE:/tmp/krb5cc_p934 Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
11/12/03 11:53:04 11/12/03 21:55:30 krbtgt/[EMAIL PROTECTED] CORP
renew until 11/13/03 11:53:04
Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached
Does anyone have a hint on how to solve this issue? I have no clue on what to do after searching everywhere...
Thanks and best regards (and sorry for the long post)
-- Christian Palomino mailto::[EMAIL PROTECTED] http://www.palominocassain.com GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F
pgp00000.pgp
Description: PGP signature________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
