[KLUG Members] Managing AD from Linux?

Bruce Smith bruce at armintl.com
Fri Dec 30 15:52:48 EST 2005

Previous message: [KLUG Members] Managing AD from Linux?
Next message: [KLUG Members] UDP port 0
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > > > supportedSASLMechanisms: GSSAPI
> > > > supportedSASLMechanisms: DIGEST-MD5
> > > It supports DIGEST-MD5 so it is worth trying an ldapmodify with an MD5
> > > bind (be sure to use encryption).  Level of access in AD is often
> > > related to the 'strength' of your connection.
> > I've been trying all morning without luck.  When I try digest-md5 I get:
> > "The digest-uri does not match any LDAP SPN's registered for this
> > server., data 0, vece"
> 
> Buggers, what does your LDAP command loook like?

Which one?  I've tried it every way I can think of.  
I even read through all your LDAP and KRB presentations.
Here are a _few_ examples:

bruce at lx1:~> ldapsearch -ZZ -Y digest-md5 -U bruce -H ldap://tcad/ -u -LLL -s sub  'objectclass=*'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece
bruce at lx1:~> ldapsearch -ZZ -Y digest-md5 -U bruce at tcc.armintl.com -H ldap://tcad/ -u -LLL -s sub  'objectclass=*'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
bruce at lx1:~> ldapsearch -v -P 3 -Y DIGEST-MD5 -D "cn=Bruce Smith,cn=Users,dc=tcc,dc=armintl,dc=com"
ldap_initialize( <DEFAULT> )
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vece
bruce at lx1:~>


bruce at lx1:~> ldapsearch -v -P 3 -D "cn=Bruce Smith,cn=Users,dc=tcc,dc=armintl,dc=com"
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
bruce at lx1:~>


> > I even tried GSSAPI.  I can run kinit and get a ticket from AD, 
> > but ldapsearch says:
> > "Miscellaneous failure (Server not found in Kerberos database)"
> > Is this because I haven't "joined the domain"?  
> 
> :) Joined which domain?  

AD, I guess.  I got the samba "net ads join" to work.  I'm not sure what
it gains me since I can't tell any difference after the join.

> This terminology gets all twisted around.

Tell me about it!  :-)

> > Or there is no record in AD for my Linux box? 
> 
> This would be my guess, a key exchange won't work if name resolution
> doesn't work.

DNS is working, if that's what you mean.

 - BS

Previous message: [KLUG Members] Managing AD from Linux?
Next message: [KLUG Members] UDP port 0
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list