[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems access MS Active Directory from OpenLDAP 2.1.2

To: Al Lilianstrom <al.lilianstrom@fnal.gov>, openldap-software@OpenLDAP.org
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2
From: Anthony Brock <abrock@georgefox.edu>
Date: Wed, 10 Jul 2002 09:46:22 -0700
In-reply-to: <fc.589e0764589e0764b14ccb6d3b9aca00.14ca4d2@mail.georgefox .edu>

At 08:16 AM 7/10/2002 -0700, al.lilianstrom@fnal.gov wrote:

so you are doing the kinit against the w2k domain from a Unix system?

Yes. The kinit is successfully (I believe) recieving the ticket from the W2K system. If I start from scratch, I see a success message on the W2K server and for the following:

# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
# kinit UnixAdmin
Password for UnixAdmin@TEST1.GEORGEFOX.COM:
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: UnixAdmin@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal 07/10/02 09:37:30 07/10/02 19:37:30 krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM Flags: IA #

Try the ldapsearch like this

# ldapsearch -h exsrv.test1.georgefox.com -b
"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn

# ldapsearch -h exsrv.test1.georgefox.com -b "dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error # klist -f Ticket cache: FILE:/tmp/krb5cc_0 Default principal: UnixAdmin@TEST1.GEORGEFOX.COM

Valid starting Expires Service principal 07/10/02 09:37:30 07/10/02 19:37:30 krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM Flags: IA #

With a ticket from the w2k side you should not need to do the
interactive login.

This is makes sense. I was becoming paranoid that I might have a problem since my login UID is root and not UnixAdmin. I was attempting to be explicit and eliminate any potential conflict there...

I noticed that your command is displaying "SASL SSF: 56" before "installing layers". Is this of importance? Do I need to do anything unique to the W2K server to make this work?

Thanks!

Tony

# klist -f
Ticket cache: /tmp/krb5cc_p31967
Default principal: lilstrom@FERMI

Valid starting     Expires            Service principal
07/10/02 10:13:43  07/10/02 20:13:43  krbtgt/FERMI@FERMI
        Flags: FIA

# ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
dn: CN=lilstrom,DC=fermi

# klist -f
Ticket cache: /tmp/krb5cc_p31967
Default principal: lilstrom@FERMI

Valid starting     Expires            Service principal
07/10/02 10:13:43  07/10/02 20:13:43  krbtgt/FERMI@FERMI
        Flags: FIA
07/10/02 10:13:47  07/10/02 20:13:43  ldap/fermi@FERMI
        Flags: FA

al

--

Al Lilianstrom
CD/OSS/CSI
Al.Lilianstrom@fnal.gov


******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************

Prev by Date: Re: Problems access MS Active Directory from OpenLDAP 2.1.2
Next by Date: Search Filter (greater than)
Index(es):
- Chronological
- Thread