kerberos tickets and the SPNs

I'm setting up a Solaris 10 server as a test samba server with AD
authentication. I'm running into a little bit of issue with Kerberos
tickets. The setup is as follows

Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
(shipped with the distro) and IMU on windows. My LDAP client is working
good and validates getent passwd <user> and can run ldaplist -l passwd
<user> and ldapsearch, no issues. My ldap autnetication is set to simple,
with proxyDnuser.



On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files ldap'
for both passwd and group and dns files for hosts. On windows the IMU, UNIX
attributes are set to the correct NIS domain.



I ran net ads join to successfully join the Solaris server into the AD,
however net ads keytab create simply returns a new line without any errors.
When I checked on windows, after net ADS join command, I see two service
principals (SPN), the capitalization is intentional as this is how they
appear when I run spnset hostname



HOST/HOSTNAME

HOST/hostname.domain.com (FQDN)



I also setup a service account name (user object) on Windows whose name is
same as the hostname (computer object). I generated the keytab file with



ktpass -princ host/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab



I then ftped this file over to Solaris host and try to authenticate a user
login via AD, I get



PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
database



So, just for the heck of it I generated another krb5.keytab with the
following



ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab



Please note the HOST in capitals. Now, I get this error testing with this
keytab



PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found



Running PAM in debug mode didn't reveal anything specific other than the
obvious.



I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
return properly. I can add the SPNs forcibly with host/hostname.domain.com
and host/hostname and try different combinations. But..first I need to
understand this behavior, anyone???









.

Relevant Pages

  • Re: Directory Server LDAP/LDIF import - working yet not working???
    ... >> changes the ldap schema AND changes some of you existing ldap objects, ... The default install of DS 5.2 is plain jane LDAP server. ... >> and all your client machines, and set it to something reasonable. ... >> impossible to use the native Solaris 9 ldap client without it set) ...
    (comp.unix.solaris)
  • Known Solaris and LDAP Problems
    ... I'll post this list of Solaris and LDAP problems to comp.unix.solaris ... o Use the Directory Server Console ... Newer Solaris 9 style profile works only after patching. ...
    (comp.unix.solaris)
  • Solaris 10 Windows integration
    ... The Solaris server has the home directories in /home. ... We have created identical user accounts on Solaris and on the windows ... connection. ...
    (SunManagers)
  • RE: LDAP in Unix
    ... I use the Sun LDAP server for users on ... Solaris and AIX. ... If you want to limit which hosts a user can access, ... I would like to use Sun ONE Directory server and centralise the user ...
    (Focus-SUN)
  • LKF Setup
    ... One of the biggest things that linux users forget all the time is that ... thing is that one a windows server you can have Ldap + Kerberos + File ...
    (Ubuntu)
Loading