Hi all,
I'm struggling with a weird problem, I hope you can help ...
We have two forests, which are trusted both ways:
A.DOM (4x DC's dc1/dc2/dc3/dc4.a.dom)
B.NET (4x DC's dc1/dc2/dc3/dc4.b.net)
UNIX User: xyz@a.dom
Linux Box: server.c.net (joined B.NET)
The user "xyz@a.dom" tries to login to a linux box "server.c.net", but fails ...
In /var/log/messages I found entries like these (vasd debug-level 3):
------------------------------------------------------------------
Dec 7 10:29:32 server.c.net vasd[22501]: _ldap_init_and_bind: Failed to get ldap/ service ticket. VAS_ERR_KRB5: Failed to obtain credentials. Client: SERVER$@B.NET, Service: ldap/dc2.a.dom@B.NET, Server: dc4.b.net Caused by: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377): Server not found in Kerberos database Reason: Server (ldap/dc2.a.dom@B.NET) unknown
------------------------------------------------------------------
... and repeated for each A.DOM domain controller.
Of course this can't work. Why is vasd looking for ldap/dc2.a.dom@B.NET instead of ldap/dc2.a.dom@A.DOM. Did I miss anything in my vas.conf?
Here my vas.conf:
------------------------------------------------------------------
[libdefaults]
default_realm = B.NET
ticket_lifetime = 36000
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
forwardable = true
[domain_realm]
server.c.net = B.NET
[vasd]
debug-level = 3
workstation-mode = true
workstation-mode-group-do-member = true
alt-auth-realms = b.net,a.dom
cross-forest-domains = b.net,a.dom
[libvas]
use-server-referrals = true
use-tcp-only = true
enable-gssapi-acceptor-authz = true
[nss_vas]
lowercase-names = true
check-host-access = true
[vas_auth]
checkaccess-use-implicit = true
------------------------------------------------------------------
Any ideas what the problem could be?
Thanks a lot in advance!!!
Miguel
I'm struggling with a weird problem, I hope you can help ...
We have two forests, which are trusted both ways:
A.DOM (4x DC's dc1/dc2/dc3/dc4.a.dom)
B.NET (4x DC's dc1/dc2/dc3/dc4.b.net)
UNIX User: xyz@a.dom
Linux Box: server.c.net (joined B.NET)
The user "xyz@a.dom" tries to login to a linux box "server.c.net", but fails ...
In /var/log/messages I found entries like these (vasd debug-level 3):
------------------------------------------------------------------
Dec 7 10:29:32 server.c.net vasd[22501]: _ldap_init_and_bind: Failed to get ldap/ service ticket. VAS_ERR_KRB5: Failed to obtain credentials. Client: SERVER$@B.NET, Service: ldap/dc2.a.dom@B.NET, Server: dc4.b.net Caused by: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377): Server not found in Kerberos database Reason: Server (ldap/dc2.a.dom@B.NET) unknown
------------------------------------------------------------------
... and repeated for each A.DOM domain controller.
Of course this can't work. Why is vasd looking for ldap/dc2.a.dom@B.NET instead of ldap/dc2.a.dom@A.DOM. Did I miss anything in my vas.conf?
Here my vas.conf:
------------------------------------------------------------------
[libdefaults]
default_realm = B.NET
ticket_lifetime = 36000
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
forwardable = true
[domain_realm]
server.c.net = B.NET
[vasd]
debug-level = 3
workstation-mode = true
workstation-mode-group-do-member = true
alt-auth-realms = b.net,a.dom
cross-forest-domains = b.net,a.dom
[libvas]
use-server-referrals = true
use-tcp-only = true
enable-gssapi-acceptor-authz = true
[nss_vas]
lowercase-names = true
check-host-access = true
[vas_auth]
checkaccess-use-implicit = true
------------------------------------------------------------------
Any ideas what the problem could be?
Thanks a lot in advance!!!
Miguel