On 23/9/2011 10:25 πμ, Markus Moeller wrote:
This is an incomplete Active Directory setup (or Kerberos if you don't use AD).
Thanks Markus,As you may have seen from earlier posts, I am using MIT Kerberos on CentOS. I don't have Active Directory but I am using OpenLDAP which serves as Kerberos container and principals store.
DNS entries were (until now) considered unnecessary. I have created the required entries and retried.
Now I am getting (in Wireshark) an LDAP search request from the client and this fails:
CLDAP searchRequest(4) "<ROOT>" baseObject with content: baseObject: scope: baseObject (0) derefAliases: neverDerefAliases (0) sizeLimit: 0 timeLimit: 0 typesOnly: False Filter: (&(&(DnsDomain=EXAMPLE.COM)(Host=CLIENTHOSTNAME))(NtVer=0x20000006)) attributes: 1 item AttributeDescription: Netlogon and the server responds: ICMP Destination unreachable (Host administratively prohibited)We don't allow anyone (except specific DNs) to access our LDAP server. Additionally there are no such entries in there (these are obviously Active Directory specific). Anyway, there is no client host entry in Kerberos or in LDAP.
Now what? Nick
<<attachment: smime.p7s>>