At the moment I am work on an LDAP proof of concept. This is on OpenLDAP Version: 2.1.30-3 running on Debian unstable. Since I am unable to get at the original user passwords, I would like to compare them against our Windows infrastructure which does have access to them. Something like: Each ldap record has a "userPassword: {sasl}st81418@internal.domain.org LDAP server -> SASL libraries -> Kerberos -> Windows 2003 servers I am having some problems with Kerberos, using the SASL libraries to authenticate against Active Directory. Here's what works: kinit: reads /etc/krb5.conf fine and will get a ticket from Windows. klist: shows the ticket and what fails: testsaslauthd -u mywindowsusername -p mypasswordhere 0: NO "authentication failed" When I do a tcpdump of the testsaslauthd, I receive a Kerberos error 7: KRB5KDC_ERR_S_PRINCIPLE_UNKNOWN Do I need to setup anything on the windows servers to be able to compare usernames and passwords against them? Here's some of the details about my config if anyone can help. saslauthd is running with: /usr/sbin/saslauthd -r -a kerberos5 /usr/lib/sasl2/slapd.conf pwcheck_method:saslauthd saslauthd_path:/var/run/saslauthd/mux /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = INTERNAL.DOMAIN.ORG dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 forwardable = true [realms] INTERNAL.DOMAIN.ORG = { kdc = gvw001.internal.domain.org:88 admin_server = gvw001.internal.domain.org:749 kpasswd_server = gvw001.internal.domain.org:464 default_domain = internal.domain.org master_key_type = des3-hmac-sha1 supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des3-hmac-sha1:norealm des3-hmac-sha1:onlyrealm default_principal_flags = +preauth, +tgt-based } [domain_realm] .domain.org = INTERNAL.DOMAIN.ORG .internal.domain.org = INTERNAL.DOMAIN.ORG .somethingelse.internal.domain.org = INTERNAL.DOMAIN.ORG [kdc] profile = /etc/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Simon. -- Simon Tennant ________________ http://imaginator.com/~simon/contact
Attachment:
signature.asc
Description: Digital signature