Login or Register to Ask a Question and Join Our Community


AIX

Problems with kerberos and forest domain

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Problems with kerberos and forest domain
# 1  
Old 11-13-2013
Problems with kerberos and forest domain
Hi,

I have a simple Apache setup that works fine when I create a keytab on a domain level authentication works fine. When I create a keytab at the forest level authentication does not work. I get the following error message. Does anyone know what I am doing wrong here? I validated there is the SPN is unique on the AD side.

Code:
[Wed Nov 13 10:55:49 2013] [debug] src/mod_auth_kerb.c(1707): [client x] Client didn't delegate us their credential
[Wed Nov 13 10:55:49 2013] [debug] src/mod_auth_kerb.c(1735): [client x] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.

Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. OS X (Apple)

OSX and Kerberos

Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from: # sshd: auth account password session auth optional pam_krb5.so use_kcminit auth optional ... (0 Replies)
Discussion started by: jnojr
0 Replies

2. AIX

Problems with Kerberos and realms

I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it. AIX 7.1, and while I found various docs on the subject, a... (11 Replies)
Discussion started by: PassLine
11 Replies

3. Windows & DOS: Issues & Discussions

How to: Linux BOX in Windows Domain (w/out joining the domain)

Dear Expert, i have linux box that is running in the windows domain, BUT did not being a member of the domain. as I am not the System Administrator so I have no control on the server in the network, such as modify dns entry , add the linux box in AD and domain record and so on that relevant. ... (2 Replies)
Discussion started by: regmaster
2 Replies

4. Programming

Kerberos Authentication c/c++

I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api. Can anyone point me in the right... (0 Replies)
Discussion started by: mshindo
0 Replies

5. AIX

SSH and Kerberos

I have 2 servers (lft1 and lft3) running AIX 5.3 ML 5. Both are installed with krb5.client.rte 1.4.0.4 and openssh.base.server 4.3.0.5300. I have configured some of the users on both servers to authenticate against our Windows 2003 Active Directory. From my PC, I can use telnet to login... (1 Reply)
Discussion started by: asch337
1 Replies

6. Solaris

kerberos security

i m new 2 unix world can some body explain me abt kerberos pls explain in detail..! (2 Replies)
Discussion started by: sriram.s
2 Replies

7. Cybersecurity

Kerberos security

I have installed Kerberos security in my UNIX system but I need to disable because of an application conflict with Kerberos. So Anybody ca tell me how can I disable it? Thank you (1 Reply)
Discussion started by: dansanmex
1 Replies
Login or Register to Ask a Question

LEARN ABOUT CENTOS

ipa-join

ipa-join(1)							 IPA Manual Pages						       ipa-join(1)

NAME

       ipa-join - Join a machine to an IPA realm and get a keytab for the host service principal

SYNOPSIS

       ipa-join [-d|--debug] [-q|--quiet] [-u|--unenroll] [-h|--hostname hostname] [-s|--server hostame] [-k|--keytab filename] [-w|--bindpw pass-
       word] [-b|--basedn basedn] [-?|--help] [--usage]

DESCRIPTION

       Joins a host to an IPA realm and retrieves a kerberos keytab for the host service principal, or unenrolls an  enrolled  host  from  an  IPA
       server.

       Kerberos  keytabs  are  used  for  services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or
       keys) for a kerberos principal.

       The ipa-join command will create and retrieve a service principal  for  host/foo.example.com@EXAMPLE.COM  and  place  it  by  default  into
       /etc/krb5.keytab. The location can be overridden with the -k option.

       The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the -s,--server option.

       In order to join the machine needs to be authenticated. This can happen in one of two ways:

       * Authenticate using the current kerberos principal

       * Provide a password to authenticate with

       If  a client host has already been joined to the IPA realm the ipa-join command will fail. The host will need to be removed from the server
       using `ipa host-del FQDN` in order to join the client to the realm.

       This command is normally executed by the ipa-client-install command as part of the enrollment process.

       The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the IPA server. This prepares the host to be re-enrolled.  This
       uses the host principal stored in /etc/krb5.conf to authenticate to the IPA server to perform the unenrollment.

       Please  note,  that  while  the	ipa-join  option removes the client from the domain, it does not actually uninstall the client or properly
       remove all of the IPA-related configuration. The only way to uninstall a client completely is to use  ipa-client-install  --uninstall  (see
       ipa-client-install(1)).

OPTIONS

       -h,--hostname hostname
	      The hostname of this server (FQDN). By default of nodename from uname(2) is used.

       -s,--server server
	      The  hostname  of  the  IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be sup-
	      plied.

       -k,--keytab keytab-file
	      The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab

       -w,--bindpw password
	      The password to use if not using Kerberos to authenticate. Use a password of this particular host (one time password created on  IPA
	      server)

       -b,--basedn basedn
	      The basedn of the IPA server (of the form dc=example,dc=com). This is only needed when not using Kerberos to authenticate and anony-
	      mous binds are disallowed in the IPA LDAP server.

       -f,--force
	      Force enrolling the host even if host entry exists.

       -u,--unenroll
	      Unenroll this host from the IPA server. No keytab entry is removed in the process (see ipa-rmkeytab(1)).

       -q,--quiet
	      Quiet mode. Only errors are displayed.

       -d,--debug
	      Print the raw XML-RPC output in GSSAPI mode.

EXAMPLES

       Join IPA domain and retrieve a keytab with kerberos credentials.

	 # kinit admin
	 # ipa-join

       Join IPA domain and retrieve a keytab using a one-time password.

	 # ipa-join -w secret123

       Join IPA domain and save the keytab in another location.

	 # ipa-join -k /tmp/host.keytab

EXIT STATUS

       The exit status is 0 on success, nonzero on error.

       0 Success

       1 Kerberos context initialization failed

       2 Incorrect usage

       3 Out of memory

       4 Invalid service principal name

       5 No Kerberos credentials cache

       6 No Kerberos principal and no bind DN and password

       7 Failed to open keytab

       8 Failed to create key material

       9 Setting keytab failed

       10 Bind password required when using a bind DN

       11 Failed to add key to keytab

       12 Failed to close keytab

       13 Host is already enrolled

       14 LDAP failure

       15 Incorrect bulk password

       16 Host name must be fully-qualified

       17 XML-RPC fault

       18 Principal not found in host entry

       19 Unable to generate Kerberos credentials cache

       20 Unenrollment result not in XML-RPC response

       21 Failed to get default Kerberos realm

SEE ALSO

       ipa-rmkeytab(1) ipa-client-install(1)

IPA
								    Oct 8 2009							       ipa-join(1)