GSSAPI against Microsoft AD
Yves Dorfsman
yves at zioup.com
Fri Jul 11 11:28:49 EDT 2008
Morten Sylvest Olsen wrote:
>>
>> This documentation
>> http://svn.collab.net/repos/svn/trunk/notes/sasl.txt talks about a 56
>> bytes limitation, and I wonder if this is the problem I am hitting here.
>
> I don't think so.
Thanks, this was my biggest concern, and Dieter's message confirms that this
should not be an issue.
> saslauthd should not be needed when using Kerberos/GSSAPI authentication.
Make sense, I wanted to confirm though.
> 0) Check that your server ticket works
>
> kinit -k host/<hostname>@REALM
Yes, I get what I expect (when compared with my working cvs and
mod_auth_kerb setup) there.
> 1) Check that your AD server can be resolved both forward backwards. Per
> default MS does not create reverse DNS entries, for reasons unknown.
> This usually trips Kerberos
Thanks, ran into that years ago, but forgot to verify this time.
>
> 2) Prefer to use a krb5.conf with
>
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> That should work, but you could try adding explicit entries for your
> realm like:
>
> [domain_realm]
> .fiskhest.com = FISKHEST.COM
> fiskhest.com = FISKHEST.COM
>
> Good luck!
Thanks.
--
Yves.
http://www.SollerS.ca
More information about the Cyrus-sasl
mailing list