[14603] in Kerberos
Re: openldap and w2k kdc
daemon@ATHENA.MIT.EDU (Joachim Jauch)
Wed Jun 27 11:01:13 2001
From: Joachim Jauch <joachim.jauch@abaxx.com>
Date: Wed, 27 Jun 2001 16:54:08 +0200
Message-ID: <3B39F390.AFE6EC25@abaxx.com>
To: kerberos@MIT.EDU
"Booker C. Bense" wrote:
>
> On Mon, 25 Jun 2001, Joachim Jauch wrote:
>
> > Hello,
> >
> > I tried to do an LDAP query against a W2k Domain Controller
> > with 'ldapsearch' from openldap2 on linux.
> > This is working when using cleartext password authentication.
> >
> > I would like to authenticate using Kerberos 5 against the
> > W2k Domain Controller.
> >
> > w2k: kdc + ad + LDAP
> > | ^
> > | |
> > TGT | TGS |
> > | |
> > | |
> > unix client: ldapsearch (openldap2)
> > SASL -> GSSAPI -> MIT Kerberos 5
> >
> > With 'kinit' I received a TGT from the W2k KDC. But when starting
> > 'ldapsearch' with:
> > ldapsearch -U user1@REALM.NET -h w2khost '*' cn
> > there was an error.
> >
> > In the W2k system event log was the following error message:
> > "The account W2KHOST$ did not have a suitable key for generating
> > a Kerberos ticket. If the encryption type is supported,
> > changing or setting the password will generate a proper key."
> >
> > After calling ldapsearch there was a ticket for the ldap service:
> > ldap/w2khost.realm.net@REALM.NET
> >
> > When querying an openldap server authentication with MIT Kerberos 5
> > is working.
> >
> > Has anyone tried something similar or has any hints?
> >
>
> - I recall reading on the openldap developer list that there
> was some bug fix required to query W2K's AD using the gssapi
> method. You can search the archives of the dev list at
>
> http://www.openldap.org/lists/
>
> I've had pretty good luck using Netscape's 3.1 Ldap
> SDK with the fixes from MS and some slight hacking on my own
> to get around some local DNS issues.
>
> - Booker C. Bense
You were right. Thank you. I had used openldap-2.0.7 and now
have upgraded to openldap-2.0.11 and it works now for queries with small
results. It was fixed in 2.0.8 (ldap SASL GSSAPI interop bug (ITS#884)).
The following probably is not appropriate for this newsgroup but only
happens when using GSSAPI:
When doing a query with ldapsearch which results in a big answer (e.g.
'*')
I get an error:
sb_sasl_pkt_length: received illegal packet length of 111264 bytes
sb_sasl_read: failed to decode packet: generic failure
This behaviour was also reported in the openldap list and according to
the postings
it is an error in the AD implementation. (Installing W2k SP2 was no
solution.)
Have you had this problem with Netscape's 3.1 LDAP SDK?
Regards,
Joachim Jauch
