> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael Str?der > Sent: Saturday, March 21, 2009 7:55 AM > To: [email protected] > Subject: Re: SASL authentication > > As I understood the original poster he wants to use LDAP SASL > Bind with mechanism GSSAPI in his LDAP client when accessing > MS AD. For this to work a normal kinit should be sufficient > for a first test of his LDAP client code. > > If his own LDAP *client* runs as a long-running service (e.g. > a networked printer) then he would need a keytab extracted > with the help of ktpass.exe. AFAICS in these postings the > first test did not succeed yet.
Yes, my LDAP client runs in a networked printer, which is not in the same realm as the Kerberos server and LDAP server. Therefore, maybe a keytab file is necessary for me? > You create a user with a sAMAccountName and a > userPrincipalName (LDAP attribute names) and then use this > userPrincipalName as parameter for kinit. LDAP-bind with > SASL/GSSAPI will automagically obtain a service ticket. See > my local test with OpenLDAP command-line tool below (all > names manually obfuscated). > > If something fails check your DNS and /etc/krb5.conf > especially regarding enc types. Basically, my test is almost the same as what you've done in the following. But in doing ldapsearch, I've met an error: ======================================================== q...@durian(pts/3):/etc[14]$ kinit -f [email protected] Password for [email protected]: q...@durian(pts/3):/etc[15]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: [email protected] Valid starting Expires Service principal 03/20/09 15:07:19 03/21/09 01:06:54 krbtgt/[email protected] renew until 03/21/09 15:07:19 Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached q...@durian(pts/3):/etc[17]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ======================================================== Is the message "Server not found in Kerberos database" means I need a keytab file? Thank you, Michael! Xu Qiang > Maybe I got the original poster wrong though... > > Ciao, Michael. > > -----------Get Ticket Granting Ticket (TGT)----------- > $ kinit [email protected] > Password for [email protected]: > > -----------List Tickets----------- > $ klist > Ticket cache: FILE:/tmp/krb5cc_4242 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/21/09 00:39:14 03/21/09 10:39:16 > krbtgt/[email protected] > renew until 03/22/09 00:39:14 > > > Kerberos 4 ticket cache: /tmp/tkt4242 > klist: You have no tickets cached > > -----------LDAP-Bind SASL/GSSAPI----------- > $ ldapsearch -H ldap://dc1.testdomain.dom -b "" -s base -Y > GSSAPI "(objectClass=*)" namingContexts > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 SASL data security layer installed. > dn: > namingContexts: DC=testdomain,DC=dom > namingContexts: CN=Configuration,DC=testdomain,DC=dom > namingContexts: CN=Schema,CN=Configuration,DC=testdomain,DC=dom > namingContexts: DC=DomainDnsZones,DC=testdomain,DC=dom > namingContexts: DC=ForestDnsZones,DC=testdomain,DC=dom > > -----------List Tickets----------- > $ klist > Ticket cache: FILE:/tmp/krb5cc_4242 > Default principal: [email protected] > > Valid starting Expires Service principal > 03/21/09 00:39:14 03/21/09 10:39:16 > krbtgt/[email protected] > renew until 03/22/09 00:39:14 > 03/21/09 00:40:57 03/21/09 10:39:16 > ldap/[email protected] > renew until 03/22/09 00:39:14 > > > Kerberos 4 ticket cache: /tmp/tkt500 > klist: You have no tickets cached ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
