Hello, Has anyone had success authenticating AIX servers to a 2003 Active Directory KDC where the AIX servers are defined to a different domain than the active directory server. Our progress thus far:
We successfully communicate with AD via kinit, kpasswd, etc.. A klist verifies a ticket was defined for the machine. Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 03/24/04 13:18:11 03/24/04 23:18:11 krbtgt/[EMAIL PROTECTED] However, when we try to authenticate to AD with the account we fail with the following debug messages: Mar 24 13:08:33 ua011 tsm: [checkName] name = user0 Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0 Mar 24 13:08:33 ua011 tsm: Entering krb_normalize...user0 Mar 24 13:08:33 ua011 tsm: [checkName] name = user0 Mar 24 13:08:33 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0 Mar 24 13:07:23 ua011 tsm: Exiting krb_normalize. shortname=user0 longname=user0 Mar 24 13:07:23 ua011 tsm: [krb_authenticate] user0 is normalized to user0 Mar 24 13:07:23 ua011 tsm: [krb_authenticate] cache file is /var/krb5/security/creds/[EMAIL PROTECTED] Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Got TGT ... Mar 24 13:07:23 ua011 tsm: [getFQHN] entered... Mar 24 13:07:23 ua011 tsm: [getFQHN] hostname is ua011.bumble.com Mar 24 13:07:23 ua011 tsm: [getFQHN] normal exit... Mar 24 13:07:23 ua011 tsm: [is_tgt_valid] hostname is ua011.bumble.com Mar 24 13:07:23 ua011 tsm: Service name = host/[EMAIL PROTECTED] Mar 24 13:07:23 ua011 tsm: Client principal in request is same as in TGT Mar 24 13:07:23 ua011 tsm: Error in getting service ticket for host/<hostname> ... Mar 24 13:07:23 ua011 tsm: Server not found in Network Authentication Service database Mar 24 13:07:23 ua011 tsm: [krb_authenticate] TGT validation failed ... Mar 24 13:07:23 ua011 tsm: [krb_authenticate] Exiting krb_authenticate... Mar 24 13:07:23 ua011 syslog: pts/6: failed login attempt for user0 from 162.131.196.187 We have been working with the vendor trying to analyze the problem. From their view, the problem is related to having the AIX servers residing in one domain and the AD server defined to another domain. We find it hard to believe that we are the only shop which is configured in this manner. If anyone has any insight on how to solve this problem/error and would be willing to share their resolution we would appreciate hearing from you. Thank you, -Butch ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
