[14588] in Kerberos
openldap and w2k kdc
daemon@ATHENA.MIT.EDU (Joachim Jauch)
Mon Jun 25 12:15:11 2001
From: Joachim Jauch <joachim.jauch@abaxx.com>
Date: Mon, 25 Jun 2001 17:59:56 +0200
Message-ID: <3B375FFB.F7FE24D0@abaxx.com>
To: kerberos@MIT.EDU
Hello,
I tried to do an LDAP query against a W2k Domain Controller
with 'ldapsearch' from openldap2 on linux.
This is working when using cleartext password authentication.
I would like to authenticate using Kerberos 5 against the
W2k Domain Controller.
w2k: kdc + ad + LDAP
| ^
| |
TGT | TGS |
| |
| |
unix client: ldapsearch (openldap2)
SASL -> GSSAPI -> MIT Kerberos 5
With 'kinit' I received a TGT from the W2k KDC. But when starting
'ldapsearch' with:
ldapsearch -U user1@REALM.NET -h w2khost '*' cn
there was an error.
In the W2k system event log was the following error message:
"The account W2KHOST$ did not have a suitable key for generating
a Kerberos ticket. If the encryption type is supported,
changing or setting the password will generate a proper key."
After calling ldapsearch there was a ticket for the ldap service:
ldap/w2khost.realm.net@REALM.NET
When querying an openldap server authentication with MIT Kerberos 5
is working.
Has anyone tried something similar or has any hints?
Regards,
Joachim Jauch
