> -----Original Message-----
> From: Nicolas Williams [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 01, 2008 5:48 PM
> To: Leopold, Corey
> Cc: Natalie Li; [email protected]
> Subject: Re: [storage-discuss] B85 CIFS - Active Directory - Kerberos
>
> On Tue, Apr 01, 2008 at 05:38:02PM -0500, Nicolas Williams wrote:
> > On Tue, Apr 01, 2008 at 06:29:15PM -0400, Leopold, Corey wrote:
> > > This is essentially what I did. nss_ldap for authorization and
> kerberos
> > > for authentication. The problem I ran into is the way smbadm sets
up
> > > krb5.keytab seems to be incompatible for host principle checking.
If
> I
> > > turn off host principle checking in the krb5.conf it works just
fine.
> I
> > > essentially used this page as my guide, except instead of using
samba
> to
> > > "join" the domain I used cifs:
> >
> > I'm really not sure what you mean. Can you provide more details?
>
> Well, I can try to guess, actually, but you still have to confirm :)
>
> Are you saying that no host/<fqdn>@<REALM> entries are created in
> /etc/krb5/krb5.keytab?
They are created they just do not work for interactive login....
Error I get:
---------------------------------
Mar 31 16:19:22 XXXX sshd[822]: [ID 308913 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: Key table entry "host/xxx.xxx.com" not
found in FILE:/etc/krb5/krb5.keytab
---------------------------------
Same error from dtlogin if I attempt to login from the console.
Results of ktutil list....
----------------------------------
ktutil: rkt /etc/krb5/krb5.keytab
ktutil: list -e
slot KVNO Principal
---- ----
-----------------------------------------------------------------
1 2 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
2 2 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5)
3 2 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5)
4 2 host/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1
HMAC)
5 2 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
6 2 nfs/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5)
7 2 nfs/[EMAIL PROTECTED] (ArcFour with HMAC/md5)
8 2 nfs/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1
HMAC)
9 2 HTTP/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
10 2 HTTP/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5)
11 2 HTTP/[EMAIL PROTECTED] (ArcFour with HMAC/md5)
12 2 HTTP/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1
HMAC)
13 2 root/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
14 2 root/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5)
15 2 root/[EMAIL PROTECTED] (ArcFour with HMAC/md5)
16 2 root/[EMAIL PROTECTED] (AES-128 CTS mode with 96-bit SHA-1
HMAC)
---------------------------------------------
Actually now that I cut these to in next to each other I noticed that
the error states can't find "host/xxx.xxx.com" while the keytab contains
" host/[EMAIL PROTECTED]"
Hmm... Now to figure why pam/login uses a different name for keytab host
principal entries....
Thanks!!!
Corey
_______________________________________________
storage-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
