[Date Prev][Date Next]
Re: newbie question - LDAP and Active Directory
One last question then, before taking this discussion
off of this list (and to where?).
What kind of realm and KDC info did you setup in your
krb5.conf file for compatability with a Windows KDC
and its ADS realm? Are the ports the same as in the
sample krb5.conf file (port 89 for KDC, port 749 for
admin server). Sorry for all of the questions, but I'm
trying to learn as much as possible.
--- "Mark H. Wood" <mwood@IUPUI.Edu> wrote:
> On Fri, 10 May 2002, Andreas Hasenack wrote:
> [quoting me on authentication via Kerberos]
> > I tried this once, but it didn't work right "out
> of the box" and I let it
> > go. ldapsearch was asking the w2k kdc for a
> ldap/hostname ticket, which
> > the w2k machine didn't have. I assumed it was due
> to that authorization
> > field that MS implemented and I didn't investigate
> it further.
> > Are you saying that this actually works?
> mhw:~$ kinit mwood@ADS.IU.EDU
> Password for mwood@ADS.IU.EDU:
> mhw:~$ ldapsearch -h ads.iu.edu -b
> "ou=Accounts,dc=ads,dc=iu,dc=edu" "(cn=mwood)" sn
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> version: 2
> # filter: (cn=mwood)
> # requesting: sn
> # mwood, Accounts, ads, iu, edu
> dn: CN=mwood,OU=Accounts,DC=ads,DC=iu,DC=edu
> sn: Wood
> # search result
> search: 5
> result: 0 Success
> # numResponses: 2
> # numEntries: 1
> 'klist' shows that it picked up a ticket for
> ldap/dcname@REALM with no
> trouble. The NT PAC TDATA is significant only to
> Microsoft hosts, and
> should just ride along with the rest of the ticket.
> extensions are what TDATAs are for.
> I have this in /etc/krb5.conf :
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> and I no longer remember why. It may be needed for
> interworking with MS
> Mark H. Wood, Lead System Programmer
> MS Windows *is* user-friendly, but only for certain
> values of "user".
Do You Yahoo!?
Yahoo! Shopping - Mother's Day is May 12th!