[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ldapsearch fail after realm trust exchange from OpenLDAP to A.D on Win 2003 SP2
Hi everybody.
I'm trying to establish a trust mechanism between openLDAP (v2.3 on Debian
Etch Stable) and A.D ( Win.2003 SP2 ) for a referral to work.
I'll pass some useful information to understand better the
situation/problem.
- Heimdal Kerberos 0.7.2.dfsg.1-10 is working and storing its database in
OpenLDAP.
- The REALM names are: OPENLDAP.SC for the heimdal realm, and ADSC.SC for
the AD realm.
- My heimdal /etc/krb5.conf configuration file is the next one:
--[/etc/krb5.conf]--
[libdefaults]
default_realm = OPENLDAP.SC
ticket_lifetime = 600
#TWEAKS PARA REALM TRUST CON WINDOWS
#default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
#default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5
#default_etypes = des-cbc-crc
#default_etypes_des = des-cbc-crc
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
#default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
#default_etypes_des = des-cbc-crc
default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5
[realms]
OPENLDAP.SC = {
kdc = kerberos.openldap.sc:88
admin_server = kerberos.openldap.sc:749
}
ADSC.COM = {
kdc = adldap.adsc.com
admin_server = adldap.adsc.com
}
[domain_realm]
.example.local = OPENLDAP.SC
example.local = OPENLDAP.SC
adsc.com = ADSC.COM
.adsc.com = ADSC.COM
[kadmin]
default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
[kdc]
database = {
realm = OPENLDAP.SC
dbname = ldap:ou=kerberos,dc=siscat,dc=com
mkey_file = /var/lib/heimdal-kdc/m-key
}
[logging]
kdc = SYSLOG
admin_server = SYSLOG
default = SYSLOG
- OpenLDAP is working fine against heimdal via GSSAPI. My configuration is
this (I've truncated relevant information, I think)
Export KRB5_KTNAME="FILE:/etc/ldap/openldap.keytab"
--[/etc/ldap/slapd.conf]--
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/hdb.schema
## SASL BY COA
sasl_host kerberos.openldap.sc
sasl_realm OPENLDAP.SC
# Clear text password, as we will be using {SASL}principal@REALM
#password-hash {CLEARTEXT}
referral ldap://adldap.adsc.com
So, I get the ticket from the OPENLDAP.SC realm, check it and run a query
against OpenLDAP:
doldap@root # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: usuprueba@OPENLDAP.SC
Issued Expires Principal
Aug 3 15:29:19 Aug 3 16:29:19 krbtgt/OPENLDAP.SC@OPENLDAP.SC
doldap@root # ldapsearch -H ldap://kerberos.openldap.sc -b
"cn=admin,dc=siscat,dc=com" -LLL
SASL/GSSAPI authentication started
SASL username: usuprueba@OPENLDAP.SC
SASL SSF: 56
SASL installing layers
dn: cn=admin,dc=siscat,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: XXXXXXXXXXXXXXXXX
By now everything works fine, if I query against the referral to chase it
(ou=prueba), I see the inter-realm key exchanged:
doldap@root # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: usuprueba@OPENLDAP.SC
Issued Expires Principal
Aug 3 16:48:08 Aug 3 17:48:08 krbtgt/OPENLDAP.SC@OPENLDAP.SC
Aug 3 16:48:18 Aug 3 17:48:08 ldap/kerberos.openldap.sc@OPENLDAP.SC
Aug 3 16:50:48 Aug 3 17:48:08 krbtgt/ADSC.COM@OPENLDAP.SC <-- this one
Aug 3 16:50:38 Aug 3 17:48:08 ldap/adldap.adsc.com@ADSC.COM
The information/error I get is this one.
(I think it's important to say that I've fixed the issue of encryption not
supported)
SASL/GSSAPI authentication started
SASL username: usuprueba@OPENLDAP.SC
SASL SSF: 56
SASL installing layers
Operations error (1)
Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece
Any idea?
A netdom.exe parameter to tuning on the WIN side?
Something wrong in my configuration?
Something?