[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

W2K DC-Heimdal KDC interoperability test (MS John Brezak sample adduser problem)



Well, after a big dissapoint to use both a UNIX KDC and a W2K Domain 
Controler to authenticate users instead of simply use  the UNIX KDC, I'm 
trying to struggle with these MS obstacles.

I have setup a Heimdal KDC with Open LDAP backend on Solaris 8 and a W2K 
DC. I create a two way trusted realm between W2K y Heimdal.

W2K DC can authenticate against the Heimdal KDC to obtain the initial 
TGT. I setup interrrealm keys and map users from unix to W2K of course.

My big problem is when I'm trying to run the adduser program sample from 
the MS site (John Brezak test to show "easy" interoperability between 
UNIX and W2K). This program is supposed to create accounts in Active 
Directory from UNIX using the GSSAPI kerberos mechanism.

I've read papers in which MS states that W2K is interoperable with MIT 
kerberos, but I'm not pretty sure with Heimdal. To run this program I 
had to use the iplanet ldap sdk  and the mit krb5 libraries, and of 
course the libgssldap api from Luke Howard. This program is very 
interesting, but I can test this program just with the ldap simple bind 
mechanism. When I try to use the ldap gssapi bind mechanism I'm getting 
an error after the call to the ldap_serarch_s() function. In fact I 
think the initialize security context and the negotiate security options 
functios are working right: look at the sample output:

In this sample CTXFARM.ARANEA.COM.MX is the W2K Domain
and CONSUMO.ARANEA.COM.MX is the UNIX Realm.

$ ./adduser -v -v -s w2k-kerberos.CTXFARM.ARANEA.COM.MX 
w2k003@CTXFARM.ARANEA.COM.MX
Creating user account for w2k003
ldap_open(w2k-kerberos.CTXFARM.ARANEA.COM.MX,389)

LDAP service name: LDAP@w2k-kerberos.CTXFARM.ARANEA.COM.MX
==> client_establish_context
Service name :LDAP@w2k-kerberos.CTXFARM.ARANEA.COM.MX
Sending init_sec_context token (size=1235)...
60 82 04 cf 06 09 2a 86 48 86 f7 12 01 02 02 01
00 6e 82 04 be 30 82 04 ba a0 03 02 01 05 a1 03
02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 03 f2
61 82 03 ee 30 82 03 ea a0 03 02 01 05 a1 17 1b
15 43 54 58 46 41 52 4d 2e 41 52 41 4e 45 41 2e
43 4f 4d 2e 4d 58 a2 35 30 33 a0 03 02 01 03 a1
2c 30 2a 1b 04 4c 44 41 50 1b 22 77 32 6b 2d 6b
65 72 62 65 72 6f 73 2e 63 74 78 66 61 72 6d 2e
61 72 61 6e 65 61 2e 63 6f 6d 2e 6d 78 a3 82 03
91 30 82 03 8d a0 03 02 01 01 a2 82 03 84 04 82
03 80 de f6 4a a0 5d e9 99 ac 5a 02 d8 ad ac d5
54 a9 a2 2b a3 2f 89 26 74 0d f9 ae a0 01 2a 6e
a3 23 b2 ce e8 9d 01 7a 7d 12 cc 0d 42 37 06 00
55 42 2d 87 46 4c df d1 73 f0 6c 17 b4 b6 d2 63
f6 62 49 87 1e e9 ec 48 fe 2d 8f 7d 4b dc cb 9e
18 7a e8 df 51 bc a7 1a 82 b1 3b 95 3c b6 54 a2
dd a1 fb c5 a3 2d d9 3e c7 83 c2 47 b1 b8 81 fd
d6 18 83 36 ac 5f f1 38 81 2f 0c 29 07 e0 71 29
a3 29 62 0c 48 4b 93 31 85 99 e3 64 6b 6f 44 c4
be 66 9a 2f 72 af 42 fa d0 b0 0f 79 30 4c 13 7e
70 77 fb fe 7e 7b 03 9e 00 b3 5a 9d 98 c2 e9 08
2c df f4 63 83 3e 58 6c 99 b1 20 37 41 4e 7a 3d
c0 42 d7 7c 83 94 f7 eb e0 c4 06 d6 73 93 1a a7
f8 aa bc 8a b0 69 61 47 f1 38 ae c7 98 c1 5e 28
0d b1 bb f6 5f 74 99 45 00 07 b6 83 8c 67 4a 97
67 21 70 9d 58 a8 74 1f 74 5b 5f f2 9c 2c db 2b
04 36 00 db 3c 57 4f 8d 2b 25 4d 51 39 0c 85 65
4b cf 3d 88 5c c2 5b 2b 55 e2 c4 50 6f 36 ce 7d
da e0 83 fb eb 05 94 bb 3b 76 3b ea 5a f4 73 96
4d 2b 15 21 76 e4 f8 d7 74 d0 28 2a d1 2b 9a 34
c6 c1 bb 39 82 8e 20 0d 6a 19 be f9 86 47 96 b3
2d c7 14 41 94 f3 32 6d 46 59 af e9 c5 e9 bd c6
d1 20 a3 82 06 c6 47 2f 81 49 e7 c0 4a c1 b9 91
92 3f 30 6d 44 22 1a d0 bf 2c f4 42 b7 78 f7 ff
6c a3 0d 9d 16 48 0d f3 21 52 f9 c5 d2 42 5e 1e
00 26 42 54 0e 87 00 88 62 c5 30 a6 56 b9 93 a8
a8 26 40 56 6c f1 ed 21 f3 ce 1c a0 6b 47 5b 84
c0 fb 4f cc ac 6a c3 1e 26 5f 2a 84 57 36 f4 2d
07 2c 4f ce ad 58 b5 9e 78 78 61 34 13 c5 5e e4
af 89 ec 01 0e 30 4e 88 fa 0f 71 ac af 6e 15 42
d5 76 15 a8 fd 92 32 66 4a 18 0b 51 e7 c7 51 80
7a 6d c4 2d 6d aa 25 12 75 4e 3e f3 5b d9 c5 be
e8 13 02 88 67 b6 51 ec ae 55 05 7b 9d 42 20 a5
8e 8b 77 a9 9e 43 fb ec e9 22 30 36 05 0a 31 9f
9c 14 3d ea 4f 43 50 35 77 a4 45 d1 f8 aa 40 7d
28 37 62 33 25 6c 1d 2f 92 7c 18 f9 e6 04 ee 26
92 e1 65 46 a0 c3 cb 5c ed 76 ff ed ba 76 65 ae
00 e5 51 cb 6e 18 1a 8b d2 d3 9f 6d 19 46 4f 13
85 05 aa ca 2c e4 c5 44 c0 e9 74 57 b3 57 4b e6
6a 4c ca 5f 06 ed fe 81 05 80 2c 8a 02 8b 7f 98
fd 34 97 ae d0 fb f9 76 38 ed 29 0b 18 5a 53 28
ef 91 25 08 db a7 1f 18 26 26 63 7e d0 ac da 37
25 86 1e d0 b7 e8 0b 10 f1 5d b0 dc b6 31 1f 32
54 93 4d 56 fe f7 ec 34 3d 9f bd 8d dd 80 af ce
c3 25 5f d0 81 2e 2d 33 f9 19 a5 b8 46 64 99 f5
a2 bc 74 d6 d7 0a 90 de ea e9 61 52 e3 ce 86 c7
68 8d 0a 45 3b 3a 8f 9a 56 9f 7d 50 d6 ec cd e7
f3 b6 63 29 74 a6 68 11 45 2f cb 1b fd ee eb 6f
4a 18 42 77 b0 a4 de 3d 04 49 3f e4 51 f9 75 f6
d3 88 67 a9 30 ef 1e c2 2d a9 13 55 8b 76 5e da
3b 53 b7 cc ea db af 7a 6d a6 d4 8b 16 84 c0 94
f7 a9 a9 5a 29 fc b4 2f 68 9e 0a 58 d7 12 36 43
47 f9 03 18 5d bc ce 56 f8 2f f6 5b fd b4 c3 25
39 42 f8 cc ba 5e 1a 9a 41 44 a7 75 58 06 1b 73
2b 71 52 83 fc ab ec 1b 36 05 24 7a 6f 97 e5 92
71 fa 5e e3 62 ec 1c 96 93 4f 60 82 5f fd 4f 90
fe 00 a4 81 ae 30 81 ab a0 03 02 01 01 a2 81 a3
04 81 a0 ab 13 cb f9 92 87 c1 70 0b 51 63 95 c1
48 01 73 b4 cc 75 68 49 e8 88 37 05 56 bd db f0
41 6d b2 ba c1 42 66 8d df 82 dd 74 a0 a1 9a 94
f1 00 d9 03 06 0a 7c f9 76 a3 1e 12 b5 4a 12 ba
26 de d5 75 c5 af 8c 53 9f 4e cf 49 ad 7e 5f 7c
5b 47 ac 50 9d 17 6f a7 ad 1c f4 c5 48 ff 2c 04
25 eb 03 04 9c 7e 9e 1e 00 d7 62 4e 67 fc 12 01
a6 92 6b 59 cb 98 6a 5e 3b 8f e5 72 8c 02 c2 cf
56 12 12 be c9 5a 83 ad ac 3c b8 0f 68 c4 4d a4
12 db 25 de 7f 62 94 f4 7f 3e 0c 5b 4f 66 77 22
f2 5b 91
==> send_token
<== send_token
continue needed...
==> recv_token
<== recv_token 1
<== recv_token 2
Received token (size=114)...
60 70 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f
61 30 5f a0 03 02 01 05 a1 03 02 01 0f a2 53 30
51 a0 03 02 01 01 a2 4a 04 48 7f 80 27 82 68 b7
66 76 9f 4e a9 8b 5e 0d c1 b9 e6 0c fc 0e 31 36
b2 77 c4 f5 68 80 8c b7 ce b0 54 37 27 ff 41 84
0d 74 27 42 78 04 72 fd 00 59 8b 46 9b 82 2f 31
b4 e5 61 f9 50 d0 b4 cf a8 68 9b ab a0 76 bc 0c
ab 48
El service name es LDAP@w2k-kerberos.CTXFARM.ARANEA.COM.MX
Sending init_sec_context token (size=0)...
==> send_token
<== send_token
<== client_establish_context
==> negotiate_security_options
==> recv_token
<== recv_token 1
<== recv_token 2
Received token (size=53)...
60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00
00 ff ff ff ff 8e b6 d2 37 3a 9a 4c 50 d1 d8 66
ef 32 0f 9e 8a 28 04 49 dd 6f 4a 2a dc 07 00 40
00 04 04 04 04
Received security token level 7 size 16384
Sending security token level 1 size 16384
==> send_token
<== send_token
==> parse_bind_result
<== parse_bind_result
<== negotiate_security_options

"albertop@CONSUMO.ARANEA.COM.MX" to 
"LDAP/w2k-kerberos.ctxfarm.aranea.com.mx@CTXFARM.ARANEA.COM.MX", 
lifetime 10949, flags 1b6, locally initiated, open

ldap_gssapi_bind(184800,dc=CTXFARM,dc=ARANEA,dc=COM,dc=MX,1)

Searching for "w2k003" at "dc=CTXFARM,dc=ARANEA,dc=COM,dc=MX" ...

ldap_serach_s() result:

Search Expresion: (samAccountName=w2k003)

Bind Path: dc=CTXFARM,dc=ARANEA,dc=COM,dc=MX

The error is: Can't contact LDAP server:

User account already present
Segmentation Fault
$



After I run this program I can see the tickets I generate with this 
transaction. (In fact I'm getting 2 tickets from the W2K DC to access 
the Active Directory Server):

$ /usr/local/bin/klist -v
Credentials cache: FILE:/tmp/krb5cc_600
        Principal: albertop@CONSUMO.ARANEA.COM.MX
    Cache version: 4

Server: krbtgt/CONSUMO.ARANEA.COM.MX@CONSUMO.ARANEA.COM.MX
Ticket etype: des-cbc-crc, kvno 1
Auth time:  Apr 16 13:03:29 2002
End time:   Apr 16 23:03:29 2002
Ticket flags: forwardable, proxiable, initial
Addresses: IPv4:192.168.10.97

Server: krbtgt/CTXFARM.ARANEA.COM.MX@CONSUMO.ARANEA.COM.MX
Ticket etype: des-cbc-crc, kvno 8
Auth time:  Apr 16 13:03:29 2002
Start time: Apr 16 13:03:36 2002
End time:   Apr 16 23:03:29 2002
Ticket flags: forwardable, proxiable
Addresses: IPv4:192.168.10.97

Server: LDAP/w2k-kerberos.ctxfarm.aranea.com.mx@CTXFARM.ARANEA.COM.MX
Ticket etype: des-cbc-md5
Auth time:  Apr 16 13:03:29 2002
Start time: Apr 16 13:03:21 2002
End time:   Apr 16 23:03:21 2002
Ticket flags: forwardable, proxiable, ok-as-delegate
Addresses: IPv4:192.168.10.97

Server: LDAP/w2k-kerberos.ctxfarm.aranea.com.mx@CTXFARM.ARANEA.COM.MX
Ticket etype: des-cbc-crc
Auth time:  Apr 16 13:03:29 2002
Start time: Apr 16 13:03:21 2002
End time:   Apr 16 23:03:21 2002
Ticket flags: forwardable, proxiable, ok-as-delegate
Addresses: IPv4:192.168.10.9


My assumption is that the Can't contact LDAP server error from the 
ldap_search_s funtion call is because Is not having rights to access the 
Active Directory Server.

In fact the W2K System Event points out at the same time the following 
error:

Service Tiquet Request Failed:
User Name: albertop
User Domain: CONSUMO.ARANEA.COM.MX
Service NAme: LDAP/W2K-kerberos.ctxfarm.aranea.com.mx
Ticket Options: 0x50000000
Failure Code: 0xE
Client Address: CERBERUS (Unix KDC)


The failure code 0xE is in my opinion that the KDC has no support for 
Encryption type, but I have deleted all the encryption
types from the interrealm keys (krbtgt) except the des-cbc-crc enc types.


Sniffing my network interface shows me that the W2K DC is returning a 
KRB_ERR message but is not reported by the useradd program.

Unfortunately  I have no idea what is happening here!!

Any suggestion will be happily received.

Thanks a lot.


Alberto Patino