[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: RE: [nssldap] nss_ldap & heimdal kerberos
From: "Florian_Preuß" <florian-preuss () gmx ! net>
Date: 2005-02-04 12:19:54
Message-ID: 26328.1107519594 () www22 ! gmx ! net
[Download RAW message or body]
If I understand right, css_adkadmin is similar to provision shipped with
xad. But I have a problem using it.
If I try to add a computer account to AD using the following command, I get
an error. But normal kinit works fine.
css_adkadmin -p Administrator -s kdc.test.net:88 -q "ank -k
host/client.test.net"
ERROR:
LDAP bind failed: Local error (-2)
additional info: SASL(-1) : generic failure: GSSAPI Error: Miscellaneous
failure
(Cannot resolve network address for KDC in requested realm)
Failed to establish LDAP connection to server
While adding principal: : Can't connect to LDAP server (-1)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
failure
(Cannot resolve network address for KDC in requested realm)
My krb5.conf Configuration:
[libdefaults]
ticket_lifetime = 1d
default_realm = 80PROZENT.NET
default_keytab_name = FILE:/etc7krb5.keytab
clockew = 300
kdc_timesync = true
[realms]
80PROZENT.NET = {
kdc = kdc.test.net
admin_server = kdc.test.net
default_domain = TEST.NET
kpasswd_server = kdc.test.net
}
[domain_realm]
.test.net = TEST.NET
test.net = TEST.NET
.TEST.NET = TEST.NET
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
}
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
>
> Hi Florian,
>
> >This way sounds really interesting. But If I for example have 5000 Client
> >PCs, I have to create a keytab for each and transfer it on it and also
> >have to run a cronjob to keep it actual. There comes another question:
> >How can I link a Linux Client with a computer Account in AD?
>
> Well, you can use KCM (which I just committed to Heimdal) to keep the
> credentials cache fresh. :-)
>
> You're correct in asserting that you need to create a keytab for each
> client.
>
> If you don't do this (and validate logon authentication by acquiring a
> ticket to the local machine and decrypting it), you're vulnerable to a
> user colluding with a rogue KDC to gain access to the local machine.
>
> A great tool for joining UNIX machines to Active Directory domains is
> ADKadmin, which you can find at:
>
> http://www.certifiedsecuritysolutions.com/downloads.html
>
> We'll be shipping something similar when we release XAD Client Edition.
>
> -- Luke
>
> --
>
--
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic