![]() ![]() Test user auth # read -s PASS testsaslauthd -u user101 -p $PASS -s ldap Kinit with keytab and host principal works # kinit -k the cache, looks ok # klistĭefault principal: starting Expires Service principal Permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md Is DNS most likely the problem? Any further way to debug on the Linux end? Config and logs using the Windows KDC and keytab are below.ĭefault_tkt_enctypes = aes256-cts-hmac-sha1-96ĭefault_tgs_enctypes = aes256-cts-hmac-sha1-96 ![]() ![]() The accounts available etypes were 23 -133 -128 18 17.Ĭhanging or resetting the password of SVC-KEYTAB-MYNET2 will generate a proper key. Host/, the account did not haveĪ suitable key for generating a Kerberos ticket (the missing key has an ID of 8). While processing a TGS request for the target server He is in the process of resetting the password on the service account but haven't heard back from him yet: It seems to suggest an encryption algorithm issue, and not DNS. The windows admin sent me this error log with the closest timestamp matching the error in the Linux auth log. I can get a forward DNS reply for AD.MYCORP.COM but the reverse does come back with a different hostname. I've added rdns = false in my nf and a few other settings trying to pin this down with no luck. Some searching turns up possible rDNS issues as the culprit. Testing SASL via testsaslauthd is also succesful for user101 using the Linux KDC.Īs soon as I switch keytab and server over to the production KDC however (2012 Server AD.MYCORP.COM below), I get Server not found in Kerberos database in the auth log. Switching users from root > nobody > user101 (with password) appears to work with a Linux KDC. As I understand it, I need a host keytab in /etc/krb5.keytab from the KDC I'm using and then in the given user's LDAP password attribute. I'm trying to setup Kerberos auth over SASL using OpenLDAP. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |