Login or Register to Ask a Question and Join Our Community


AIX

Problems with kerberos and forest domain

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Problems with kerberos and forest domain
# 1  
Old 11-13-2013
Problems with kerberos and forest domain
Hi,

I have a simple Apache setup that works fine when I create a keytab on a domain level authentication works fine. When I create a keytab at the forest level authentication does not work. I get the following error message. Does anyone know what I am doing wrong here? I validated there is the SPN is unique on the AD side.

Code:
[Wed Nov 13 10:55:49 2013] [debug] src/mod_auth_kerb.c(1707): [client x] Client didn't delegate us their credential
[Wed Nov 13 10:55:49 2013] [debug] src/mod_auth_kerb.c(1735): [client x] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.

Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. OS X (Apple)

OSX and Kerberos

Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from: # sshd: auth account password session auth optional pam_krb5.so use_kcminit auth optional ... (0 Replies)
Discussion started by: jnojr
0 Replies

2. AIX

Problems with Kerberos and realms

I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it. AIX 7.1, and while I found various docs on the subject, a... (11 Replies)
Discussion started by: PassLine
11 Replies

3. Windows & DOS: Issues & Discussions

How to: Linux BOX in Windows Domain (w/out joining the domain)

Dear Expert, i have linux box that is running in the windows domain, BUT did not being a member of the domain. as I am not the System Administrator so I have no control on the server in the network, such as modify dns entry , add the linux box in AD and domain record and so on that relevant. ... (2 Replies)
Discussion started by: regmaster
2 Replies

4. Programming

Kerberos Authentication c/c++

I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api. Can anyone point me in the right... (0 Replies)
Discussion started by: mshindo
0 Replies

5. AIX

SSH and Kerberos

I have 2 servers (lft1 and lft3) running AIX 5.3 ML 5. Both are installed with krb5.client.rte 1.4.0.4 and openssh.base.server 4.3.0.5300. I have configured some of the users on both servers to authenticate against our Windows 2003 Active Directory. From my PC, I can use telnet to login... (1 Reply)
Discussion started by: asch337
1 Replies

6. Solaris

kerberos security

i m new 2 unix world can some body explain me abt kerberos pls explain in detail..! (2 Replies)
Discussion started by: sriram.s
2 Replies

7. Cybersecurity

Kerberos security

I have installed Kerberos security in my UNIX system but I need to disable because of an application conflict with Kerberos. So Anybody ca tell me how can I disable it? Thank you (1 Reply)
Discussion started by: dansanmex
1 Replies
Login or Register to Ask a Question

LEARN ABOUT CENTOS

ipa-getkeytab

ipa-getkeytab(1)						 IPA Manual Pages						  ipa-getkeytab(1)

NAME

       ipa-getkeytab - Get a keytab for a Kerberos principal

SYNOPSIS

       ipa-getkeytab  -s  ipaserver  -p  principal-name  -k  keytab-file  [  -e encryption-types ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [
       -P|--password PASSWORD ]

DESCRIPTION

       Retrieves a Kerberos keytab.

       Kerberos keytabs are used for services (like sshd) to perform Kerberos authentication. A keytab is a file with  one  or	more  secrets  (or
       keys) for a Kerberos principal.

       A  Kerberos  service  principal is a Kerberos identity that can be used for authentication. Service principals contain the name of the ser-
       vice, the hostname of the server, and the realm name. For example, the following is an example principal for an ldap server:

	  ldap/foo.example.com@EXAMPLE.COM

       When using ipa-getkeytab the realm name is already provided, so the principal name is just the service name  and  hostname  (ldap/foo.exam-
       ple.com from the example above).

       WARNING: retrieving the keytab resets the secret for the Kerberos principal.  This renders all other keytabs for that principal invalid.

       This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve
       the keytab without Kerberos credentials if the host was pre-created with a one-time password. The keytab can be retrieved by binding as the
       host and authenticating with this one-time password. The -D|--binddn and -w|--bindpw options are used for this authentication.

OPTIONS

       -s ipaserver
	      The IPA server to retrieve the keytab from (FQDN).

       -p principal-name
	      The non-realm part of the full principal name.

       -k keytab-file
	      The keytab file where to append the new key (will be created if it does not exist).

       -e encryption-types
	      The  list  of encryption types to use to generate keys.  ipa-getkeytab will use local client defaults if not provided.  Valid values
	      depend on the Kerberos library version and configuration.  Common values	are:  aes256-cts  aes128-cts  des3-hmac-sha1  arcfour-hmac
	      des-hmac-sha1 des-cbc-md5 des-cbc-crc

       -q     Quiet mode. Only errors are displayed.

       --permitted-enctypes
	      This  options  returns a description of the permitted encryption types, like this: Supported encryption types: AES-256 CTS mode with
	      96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC Triple DES cbc mode with HMAC/sha1 ArcFour with HMAC/md5 DES cbc mode with
	      CRC-32 DES cbc mode with RSA-MD5 DES cbc mode with RSA-MD4

       -P, --password
	      Use this password for the key instead of one randomly generated.

       -D, --binddn
	      The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the -w option.

       -w, --bindpw
	      The LDAP password to use when not binding with Kerberos.

EXAMPLES

       Add  and  retrieve  a keytab for the NFS service principal on the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve
       just the des-cbc-crc key.

	  # ipa-getkeytab -s ipaserver.example.com -p nfs/foo.example.com -k /tmp/nfs.keytab -e des-cbc-crc

       Add and retrieve a keytab for the ldap service principal on the host foo.example.com and save it in the file /tmp/ldap.keytab.

	  # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab

       Retrieve  a  keytab  using  LDAP  credentials  (this  will  typically  be  done	by  ipa-join(1)  when  enrolling  a   client   using   the
       ipa-client-install(1) command:

	  #   ipa-getkeytab   -s   ipaserver.example.com   -p	host/foo.example.com   -k   /etc/krb5.keytab   -D  fqdn=foo.example.com,cn=comput-
       ers,cn=accounts,dc=example,dc=com -w password

EXIT STATUS

       The exit status is 0 on success, nonzero on error.

       0 Success

       1 Kerberos context initialization failed

       2 Incorrect usage

       3 Out of memory

       4 Invalid service principal name

       5 No Kerberos credentials cache

       6 No Kerberos principal and no bind DN and password

       7 Failed to open keytab

       8 Failed to create key material

       9 Setting keytab failed

       10 Bind password required when using a bind DN

       11 Failed to add key to keytab

       12 Failed to close keytab

IPA
								    Oct 10 2007 						  ipa-getkeytab(1)