Hi folks, I'm trying to implement a SSO solution so that my Unix systems can authenticate off my Windows Server 2003 R2 domain controllers. I liked this approach because it's secure, doesn't necessarily need the extra overhead of SSL/TLS, and I don't have to put a bind user's password in the ldap.conf file. I have tried following instructions on several websites, including these forums on Nabble as well as a Microsoft document:
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx In any case, I feel like I'm pretty close to getting it working, but I keep getting a nagging error message in /var/log/messages: GSSAPI error: miscellaneous failure (message stream modified) I created a user account in AD for the Linux system, then I used ktpass to generate a key table, then copied that to /etc/krb5.keytab on the Linux box. I can run "kinit -k" to get a TGT from AD without having to supply a password, and I can see the AD accounts when I run 'getent passwd', but I cannot ssh as an AD user. When this failed, I tried Microsoft's suggestion to use css_adkadmin to create the account and keytab from the Linux system, but this also resulted in the same problem. Here is my krb5.conf for your viewing pleasure: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false default_tgs_enctypes = des-cbc-md5 des-cbc-crc default_tkt_enctypes = des-cbc-md5 des-cbc-crc [realms] EXAMPLE.COM = { kdc = exampledc1.example.com:88 kdc = exampledc2.example.com:88 admin_server = exampledc1.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = true } And here is my ldap.conf (comments excluded): host 192.168.1.11 192.168.1.12 base dc=example,dc=com use_sasl on rootuse_sasl yes krb5_ccname /tmp/krb5cc_0 sasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com rootsasl_auth_id cn=host_test01,ou=unix_computers,dc=example,dc=com scope sub timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_base_passwd dc=example,dc=com?sub nss_base_shadow dc=example,dc=com?sub nss_base_group dc=example,dc=com?sub nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member nss_map_attribute gecos cn pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad sasl_secprops maxssf=0 ssl no I have tried using the bundled versions of Kerberos 5, Cyrus-SASL, OpenLDAP, and PADL's nss_ldap. I have also downloaded and installed the latest versions of the above software, but the error message still showed up. Any ideas??? Thanks, Kevin -- View this message in context: http://www.nabble.com/Kerberos-SASL-LDAP-Windows---Message-Stream-Modified-tf2375631.html#a6618355 Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
