[14590] in Kerberos
Re: openldap and w2k kdc
daemon@ATHENA.MIT.EDU (Booker C. Bense)
Mon Jun 25 13:59:52 2001
Date: Mon, 25 Jun 2001 10:57:01 -0700 (PDT)
From: "Booker C. Bense" <bbense@networking.stanford.edu>
To: Joachim Jauch <joachim.jauch@abaxx.com>
cc: <kerberos@MIT.EDU>
In-Reply-To: <3B375FFB.F7FE24D0@abaxx.com>
Message-ID: <Pine.GSO.4.33.0106251051360.8072-100000@shred.stanford.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 25 Jun 2001, Joachim Jauch wrote:
> Hello,
>
> I tried to do an LDAP query against a W2k Domain Controller
> with 'ldapsearch' from openldap2 on linux.
> This is working when using cleartext password authentication.
>
> I would like to authenticate using Kerberos 5 against the
> W2k Domain Controller.
>
> w2k: kdc + ad + LDAP
> | ^
> | |
> TGT | TGS |
> | |
> | |
> unix client: ldapsearch (openldap2)
> SASL -> GSSAPI -> MIT Kerberos 5
>
> With 'kinit' I received a TGT from the W2k KDC. But when starting
> 'ldapsearch' with:
> ldapsearch -U user1@REALM.NET -h w2khost '*' cn
> there was an error.
>
> In the W2k system event log was the following error message:
> "The account W2KHOST$ did not have a suitable key for generating
> a Kerberos ticket. If the encryption type is supported,
> changing or setting the password will generate a proper key."
>
> After calling ldapsearch there was a ticket for the ldap service:
> ldap/w2khost.realm.net@REALM.NET
>
> When querying an openldap server authentication with MIT Kerberos 5
> is working.
>
> Has anyone tried something similar or has any hints?
>
- I recall reading on the openldap developer list that there
was some bug fix required to query W2K's AD using the gssapi
method. You can search the archives of the dev list at
http://www.openldap.org/lists/
I've had pretty good luck using Netscape's 3.1 Ldap
SDK with the fixes from MS and some slight hacking on my own
to get around some local DNS issues.
- Booker C. Bense
