[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nssldap
Subject:    RE: [nssldap] nss_ldap & heimdal kerberos
From:       "Florian_Preuß" <florian-preuss () gmx ! net>
Date:       2005-02-04 12:19:54
Message-ID: 26328.1107519594 () www22 ! gmx ! net
[Download RAW message or body]

If I understand right, css_adkadmin is similar to provision shipped with
xad. But I have a problem using it.

If I try to add a computer account to AD using the following command, I get
an error. But normal kinit works fine.
css_adkadmin -p Administrator -s kdc.test.net:88 -q "ank -k
host/client.test.net"

ERROR:
LDAP bind failed: Local error (-2)
	additional info: SASL(-1) : generic failure: GSSAPI Error: Miscellaneous
failure
	(Cannot resolve network address for KDC in requested realm)
Failed to establish LDAP connection to server

While adding principal: : Can't connect to LDAP server (-1)
	additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
failure
	(Cannot resolve network address for KDC in requested realm)

My  krb5.conf Configuration:
[libdefaults]
	ticket_lifetime = 1d
	default_realm = 80PROZENT.NET
	default_keytab_name = FILE:/etc7krb5.keytab
	clockew  = 300
	kdc_timesync = true

[realms]
80PROZENT.NET = {
	kdc = kdc.test.net
	admin_server = kdc.test.net
	default_domain = TEST.NET
	kpasswd_server = kdc.test.net
}

[domain_realm]
	.test.net = TEST.NET
	test.net = TEST.NET
	.TEST.NET = TEST.NET

[appdefaults]
	pam = {
		ticket_lifetime = 1d
		renew_lifetime = 1d
		forwardable = true
		proxiable = false
}

[logging]
	default = SYSLOG:NOTICE:DAEMON
	kdc = FILE:/var/log/kdc.log
	kadmind = FILE:/var/log/kadmind.log




> 
> Hi Florian,
> 
> >This way sounds really interesting. But If I for example have 5000 Client
> >PCs, I have to create a keytab for each and transfer it on it and also 
> >have to run a cronjob to keep it actual. There comes another question: 
> >How can I link a Linux Client with a computer Account in AD? 
> 
> Well, you can use KCM (which I just committed to Heimdal) to keep the
> credentials cache fresh. :-)
> 
> You're correct in asserting that you need to create a keytab for each
> client.
> 
> If you don't do this (and validate logon authentication by acquiring a
> ticket to the local machine and decrypting it), you're vulnerable to a
> user colluding with a rogue KDC to gain access to the local machine.
> 
> A great tool for joining UNIX machines to Active Directory domains is
> ADKadmin, which you can find at:
> 
> 	http://www.certifiedsecuritysolutions.com/downloads.html
> 
> We'll be shipping something similar when we release XAD Client Edition.
> 
> -- Luke
> 
> --
> 

-- 
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
[prev in list] [next in list] [prev in thread] [next in thread]