GSSAPI against Microsoft AD
Morten Sylvest Olsen
mso at medical-insight.com
Fri Jul 11 04:41:30 EDT 2008
Yves Dorfsman wrote:
> Ken Hornstein wrote:
>
> It mostly work:
> When I do kinit, then klist, I can see the tgt from the AD server, then
> when I run sasl2-sample-client, it starts negotiating, then fails with
> "athentication failure". If I run klist at this point again, I can see a
> new ticket for the service I asked for (host, or svn).
>
> This documentation http://svn.collab.net/repos/svn/trunk/notes/sasl.txt
> talks about a 56 bytes limitation, and I wonder if this is the problem I
> am hitting here.
I don't think so.
> I have contacted the author of this mail:
> http://linux.derkeiler.com/Mailing-Lists/RedHat/2005-09/0103.html
> which has all the same symptoms as I get, and he told me he still has
> not resolve it. A lot of people are telling me that it should work in
> theory, but I haven't got confirmation that anybody got it working ever.
> When I run sasl2-sample-server, do I need to run saslauthd ? When I run
> it in verbose mode, it starts but it seems that sample-server is not
> talking to it.
>
> Is there a way to get more details from sample-server/client ?
saslauthd should not be needed when using Kerberos/GSSAPI authentication.
(MIT) Kerberos is notoriously fickle wrt. DNS. And MS Windows
unfortunately is very bad at setting up the correct DNS entries. Are you
in the same DNS domain as the AD?
0) Check that your server ticket works
kinit -k host/<hostname>@REALM
Where host may be something else depending on how you created it (klist
-k should show you the correct principal to use)
1) Check that your AD server can be resolved both forward backwards. Per
default MS does not create reverse DNS entries, for reasons unknown.
This usually trips Kerberos
2) Prefer to use a krb5.conf with
dns_lookup_realm = true
dns_lookup_kdc = true
That should work, but you could try adding explicit entries for your
realm like:
[domain_realm]
.fiskhest.com = FISKHEST.COM
fiskhest.com = FISKHEST.COM
Good luck!
/Morten
--
Morten Sylvest Olsen, System Developer
Medical Insight A/S, Krumtappen 4,3.th,2500 Valby, Denmark
Phone:+4546550444, Mobile:+4551573092,Mail: mso at medical-insight.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Some people, when confronted with a problem, think "I know, I'll use XML"
Now they have two problems.
-- Usenet true-ism
More information about the Cyrus-sasl
mailing list