[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP+kerboros -> win2k AD



Are you receiving a Kerberos ticket from the 2000 KDC?  If not, have you
setup a user mapping in the Active Directory and added the key to the Linux
keytab file?

In order for you to receive a ticket from the AD, there has to be a service
mapping in the AD.  Here's how to do it:

- Create a user in the AD Users and Computers tool for the mapping
- On a 2000 DC open a command prompt and run the following command:

C:\>ktpass -princ host/[YOUR_LINUX_HOSTNAME]@[NT-DNS-REALM-NAME] -mapuser
NTACCOUNTHERE -pass PASSWORDFORNTACCT -crypto des-cbc-crc -out
unixmachine.keytab

- Transfer the keytab to the Linux box and add it to your keytab (usually
/etc/krb5.keytab).  Add it with ktutil.  Should work as below:

[root@yourbox ~]# ktutil
ktutil:  rkt KEYTAB_CREATED_ABOVE
ktutil:  list
slot KVNO Principal
---- ----
--------------------------------------------------------------------------
   1    1 host/YOURBOX.YOURDOMAIN.ORG@YOURDOMAIN.ORG
ktutil:  wkt /etc/krb5.keytab
ktutil:  q

- Edit your krb5.conf file to point to the 2000 KDC and make sure you have
the following under the [libdefaults] section:

 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc des-cbc-md5

That should be all you need to obtain Kerberos tickets from the 2000 KDC.  I
also make sure that I have the same username in Linux as in the Active
Directory.  Test your setup by using kinit on the Linux box.  If kinit
doesn't give you any errors, check your ticket cache with klist.

The above steps will obtain a ticket for you (info gathered from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windows2000serv/deploy/confeat/kerbstep.asp?frame=true).  However, I've
never tried to use it with ldapsearch.  It should work though (should is the
operative word :) ).

Hope this helps.

Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg@shermanfinancialgroup.com
Phone: 513.677.7809
Fax:   513.677.7838


-----Original Message-----
From: Pontus Fred [mailto:pfred@cc.hut.fi]
Sent: Tuesday, August 21, 2001 8:57 AM
To: openldap-software@OpenLDAP.com
Subject: OpenLDAP+kerboros -> win2k AD


I'm having troubles with setting up a Linux RedHat 7.1 machine as a
ldap-client using ldapsearch with kerberos autenthication for accessing
win2k Active Directory.

I'we tried to search the archives for a solution for my problem but I
have't found one. I only know that it should be possible (at least
according to http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/14603).

I'm using MIT Kerberos V which ought to be set up right while kinit gets a
tiket from the Windows KDC.

Trying to use ldapsearch -k gives this error message:
ldap_bind: Not Supported

The man pages only say that OpenLDAP needs to be compiled with kerberos
support for the -k option to work, but not how it should be done. I'we
compiled with --with-kerberos but it doesn't help. I can't really see that
it should be the win2k AD that doesn't support kerberos.

I have a feeling this shouldn't be this hard. Have I just not been able to
find the right docs?

Regards,

Pontus Fred