Active Directory and Kerberos authentication - Help?! (fwd)

Craig White craigwhite at azapple.com
Wed Feb 15 18:12:11 MST 2006 

That pretty much settles the time issue for now...

try another user/password combo just in case...

You can click the link to get more information about that error which
sends the error code through to get you any specific information that
Microsoft has in it's error database.

Craig

On Wed, 2006-02-15 at 18:05 -0700, Bryan.ONeal at asu.edu wrote:
> Windows server gives Event ID 537
> Logon Failure
> 	Reason:    	An error occurred during logon
> 	User Name: 
> 	Doamin:
> 	Logon Type:	3 
> 	Logon Process:	Authz
> 	Authentication Package:	Kerberos
> 	Workstation Name: (Windows Server Name)
> 	Status Code:	0xC000005E
> 	Substatus Code:	0x0
> 	Caller User Name: (Windows Server Name)$
> 	Caller Domain:	CORNERSTONE
> 	Caller Login ID:(0x0.0x3E7)
> 	Caller Process ID:1260
> 	Transited Services:	-
> 	Source Network Address: -
> 	Source Port:	-
> 
> Sadly this is greek to me.
>   
> On Wed, 15 Feb 2006, Craig White wrote:
> 
> > I had to be dns that was your issue. That or clocks...kerberos is very
> > time sensitive and if the clocks are too far out of sync...it will never
> > work.
> > 
> > I would check the authentication logs on the Windows server as that
> > might give clues to the problems - I don't have much experience with AD
> > driven domains.
> > 
> > Craig
> > 
> > On Wed, 2006-02-15 at 17:14 -0700, Bryan.ONeal at asu.edu wrote:
> > > My boxes are sitting on a isolated network (192.168.2.x) they talk to each
> > > other through a cheep Belkin router.  The windows server is the DNS server,
> > > but your assumption is correct. cornerstone.local is unreachable.  I find this
> > > odd as it the YaST DNS and Host Name app lists the Win server as the only
> > > DNS.  The Linux box can see the rest of the world just fine, and the windows
> > > box does contain explicit lookups for itself.
> > > 
> > > But I just wrote it into the host file and moved on...  Weird none the less
> > > though
> > > 
> > > However, I now get the response of Password Incorrect.  Any other thoughts?
> > > 
> > > 
> > > On Wed, 15 Feb 2006, Craig White wrote:
> > > 
> > > > On Wed, 2006-02-15 at 13:33 -0700, Bryan.ONeal at asu.edu wrote:
> > > > > Ok so I purchased a new server with SuSE EL9 and I am trying to get it to act
> > > > > as a samba server in my AD.  And while I can get it to join the domain just
> > > > > fine and server up shares with no problem, I still need to get the whole SSI
> > > > > thing to work (Single Sign In) 
> > > > > 
> > > > > First thing I need to do is get my Kerberos to work.  I can tell it is not
> > > > > because when I try 
> > > > > # kinit user at domain.local
> > > > > I get
> > > > > kinit: krb5_get_init_creds: unable to reach any KDC in realm cornerstone.local
> > > > > 
> > > > > In the Kerberos client set up (using YaST) my domain is CORNERSTONE and my
> > > > > realm is CORNERSTONE.LOCAL and the KDC server address is the IP of the Win2003
> > > > > SB Server.
> > > > > 
> > > > > And that just about puts me at the edge of my krb experience since prior to
> > > > > this it has always "Just Worked".  But then again I never tried putting a
> > > > > windows box in the krb mix.
> > > > > 
> > > > > Any thought?
> > > > > 
> > > > > And getting rid of windows is not a viable option ;)
> > > > ----
> > > > It's always a viable option, it may not be an option because someone has
> > > > ruled it out.
> > > > 
> > > > are you using the same dns servers that the rest of the network is
> > > > using? I don't think you will be able to get cornerstone.local to
> > > > resolve can you?
> > > > 
> > > > # host cornerstone.local
> > > > # host cornerstone.com
> > > > # host kerberos.cornerstone.com
> > > > 
> > > > do any of these resolve?
> > > > 
> > > > I presume that you are also using...
> > > > 
> > > > kinit user at CORNERSTONE.LOCAL
> > > > or
> > > > kinit user at CORNERSTONE.COM
> > > > 
> > > > or whatever is currently defined by your local dns
> > > > 
> > > > Craig
> > > > 
> > > > ---------------------------------------------------
> > > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > > To subscribe, unsubscribe, or to change  you mail settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > 
> > > 
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > To subscribe, unsubscribe, or to change  you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change  you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list