GSSAPI against Microsoft AD

Morten Sylvest Olsen mso at medical-insight.com
Fri Jul 11 04:41:30 EDT 2008


Yves Dorfsman wrote:
> Ken Hornstein wrote:
> 
> It mostly work:
> When I do kinit, then klist, I can see the tgt from the AD server, then 
> when I run sasl2-sample-client, it starts negotiating, then fails with 
> "athentication failure". If I run klist at this point again, I can see a 
> new ticket for the service I asked for (host, or svn).
> 
> This documentation http://svn.collab.net/repos/svn/trunk/notes/sasl.txt 
> talks about a 56 bytes limitation, and I wonder if this is the problem I 
> am hitting here.

I don't think so.

> I have contacted the author of this mail: 
> http://linux.derkeiler.com/Mailing-Lists/RedHat/2005-09/0103.html
> which has all the same symptoms as I get, and he told me he still has 
> not resolve it. A lot of people are telling me that it should work in 
> theory, but I haven't got confirmation that anybody got it working ever.
> When I run sasl2-sample-server, do I need to run saslauthd ? When I run 
> it in verbose mode, it starts but it seems that sample-server is not 
> talking to it.
> 
> Is there a way to get more details from sample-server/client ?

saslauthd should not be needed when using Kerberos/GSSAPI authentication.

(MIT) Kerberos is notoriously fickle wrt. DNS. And MS Windows 
unfortunately is very bad at setting up the correct DNS entries. Are you 
in the same DNS domain as the AD?

0) Check that your server ticket works

kinit -k host/<hostname>@REALM

Where host may be something else depending on how you created it (klist 
-k should show you the correct principal to use)

1) Check that your AD server can be resolved both forward backwards. Per 
default MS does not create reverse DNS entries, for reasons unknown. 
This usually trips Kerberos

2) Prefer to use a krb5.conf with

  dns_lookup_realm = true
  dns_lookup_kdc = true

That should work, but you could try adding explicit entries for your 
realm like:

[domain_realm]
.fiskhest.com = FISKHEST.COM
fiskhest.com = FISKHEST.COM

Good luck!

/Morten
-- 
Morten Sylvest Olsen, System Developer
Medical Insight A/S, Krumtappen 4,3.th,2500 Valby, Denmark
Phone:+4546550444, Mobile:+4551573092,Mail: mso at medical-insight.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Some people, when confronted with a problem, think "I know, I'll use XML"
Now they have two problems.
                                    -- Usenet true-ism


More information about the Cyrus-sasl mailing list