Active Directory and Kerberos authentication - Help?! (fwd)
Bryan.ONeal at asu.edu
Bryan.ONeal at asu.edu
Wed Feb 15 18:37:57 MST 2006
It gives me the standard "Sorry...." However it did have something use full
in the knowledge base regarding non admins trying to loginto the server
council. I changed the test user to be an admin, and now I get a successful
request. But still get the password incorrect error on the Linux side.
>From what I can tell from the Windows side, the login is requested, a
successful login is granted, special permissions are set, the they log
off. This all happens over the course of a few seconds however the Linux box
barks the rejection rite away.
On Wed, 15 Feb 2006, Craig White wrote:
> That pretty much settles the time issue for now...
>
> try another user/password combo just in case...
>
> You can click the link to get more information about that error which
> sends the error code through to get you any specific information that
> Microsoft has in it's error database.
>
> Craig
>
> On Wed, 2006-02-15 at 18:05 -0700, Bryan.ONeal at asu.edu wrote:
> > Windows server gives Event ID 537
> > Logon Failure
> > Reason: An error occurred during logon
> > User Name:
> > Doamin:
> > Logon Type: 3
> > Logon Process: Authz
> > Authentication Package: Kerberos
> > Workstation Name: (Windows Server Name)
> > Status Code: 0xC000005E
> > Substatus Code: 0x0
> > Caller User Name: (Windows Server Name)$
> > Caller Domain: CORNERSTONE
> > Caller Login ID:(0x0.0x3E7)
> > Caller Process ID:1260
> > Transited Services: -
> > Source Network Address: -
> > Source Port: -
> >
> > Sadly this is greek to me.
> >
> > On Wed, 15 Feb 2006, Craig White wrote:
> >
> > > I had to be dns that was your issue. That or clocks...kerberos is very
> > > time sensitive and if the clocks are too far out of sync...it will never
> > > work.
> > >
> > > I would check the authentication logs on the Windows server as that
> > > might give clues to the problems - I don't have much experience with AD
> > > driven domains.
> > >
> > > Craig
> > >
> > > On Wed, 2006-02-15 at 17:14 -0700, Bryan.ONeal at asu.edu wrote:
> > > > My boxes are sitting on a isolated network (192.168.2.x) they talk to each
> > > > other through a cheep Belkin router. The windows server is the DNS server,
> > > > but your assumption is correct. cornerstone.local is unreachable. I find this
> > > > odd as it the YaST DNS and Host Name app lists the Win server as the only
> > > > DNS. The Linux box can see the rest of the world just fine, and the windows
> > > > box does contain explicit lookups for itself.
> > > >
> > > > But I just wrote it into the host file and moved on... Weird none the less
> > > > though
> > > >
> > > > However, I now get the response of Password Incorrect. Any other thoughts?
> > > >
> > > >
> > > > On Wed, 15 Feb 2006, Craig White wrote:
> > > >
> > > > > On Wed, 2006-02-15 at 13:33 -0700, Bryan.ONeal at asu.edu wrote:
> > > > > > Ok so I purchased a new server with SuSE EL9 and I am trying to get it to act
> > > > > > as a samba server in my AD. And while I can get it to join the domain just
> > > > > > fine and server up shares with no problem, I still need to get the whole SSI
> > > > > > thing to work (Single Sign In)
> > > > > >
> > > > > > First thing I need to do is get my Kerberos to work. I can tell it is not
> > > > > > because when I try
> > > > > > # kinit user at domain.local
> > > > > > I get
> > > > > > kinit: krb5_get_init_creds: unable to reach any KDC in realm cornerstone.local
> > > > > >
> > > > > > In the Kerberos client set up (using YaST) my domain is CORNERSTONE and my
> > > > > > realm is CORNERSTONE.LOCAL and the KDC server address is the IP of the Win2003
> > > > > > SB Server.
> > > > > >
> > > > > > And that just about puts me at the edge of my krb experience since prior to
> > > > > > this it has always "Just Worked". But then again I never tried putting a
> > > > > > windows box in the krb mix.
> > > > > >
> > > > > > Any thought?
> > > > > >
> > > > > > And getting rid of windows is not a viable option ;)
> > > > > ----
> > > > > It's always a viable option, it may not be an option because someone has
> > > > > ruled it out.
> > > > >
> > > > > are you using the same dns servers that the rest of the network is
> > > > > using? I don't think you will be able to get cornerstone.local to
> > > > > resolve can you?
> > > > >
> > > > > # host cornerstone.local
> > > > > # host cornerstone.com
> > > > > # host kerberos.cornerstone.com
> > > > >
> > > > > do any of these resolve?
> > > > >
> > > > > I presume that you are also using...
> > > > >
> > > > > kinit user at CORNERSTONE.LOCAL
> > > > > or
> > > > > kinit user at CORNERSTONE.COM
> > > > >
> > > > > or whatever is currently defined by your local dns
> > > > >
> > > > > Craig
> > > > >
> > > > > ---------------------------------------------------
> > > > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > >
> > > > ---------------------------------------------------
> > > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > To subscribe, unsubscribe, or to change you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
More information about the PLUG-discuss
mailing list