Nagios Authentication with Active Directory (Slightly Off-Topic)

Shawn Iverson shawn at nccsc.k12.in.us
Fri Jan 7 22:48:43 CET 2005
Previous message: Plugin to check that process is running?
Next message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Friday, January 07, 2005 2:45 PM, Dimitri wrote:
>Shawn,
>
>First, output of dig _kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM srv
>
>; <<>> DiG 9.2.4rc6 <<>> 
>_kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM srv ;; global 
>options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: 
>QUERY, status: NXDOMAIN, id: 13282 ;; flags: qr aa rd ra; 
>QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;_kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM. IN SRV
>
>;; AUTHORITY SECTION:
>firstbhph.com.          3600    IN      SOA
>rockland.headquarters.firstbhph.com. 
>hostmaster.headquarters.firstbhph.com.
>391 900 600 86400 3600
>

Oops, you have a small typo on your DNS question:

Should be 

_kerberos._tcp.HEADQUARTERS.FIRSTBHPH.COM srv

Instead of

_kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM srv



>
>and dig _kerberos.udp.HEADQUARTERS.FIRSTBHPH.COM srv
>
>; <<>> DiG 9.2.4rc6 <<>> 
>_kerberos.udp.HEADQUARTERS.FIRSTBHPH.COM srv ;; global 
>options:  printcmd ;; Got answer: ;; ->>HEADER<<- opcode: 
>QUERY, status: NXDOMAIN, id: 43578 ;; flags: qr aa rd ra; 
>QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;_kerberos.udp.HEADQUARTERS.FIRSTBHPH.COM. IN SRV
>
>;; AUTHORITY SECTION:
>firstbhph.com.          3600    IN      SOA
>rockland.headquarters.firstbhph.com. 
>hostmaster.headquarters.firstbhph.com.
>391 900 600 86400 3600
>
>;; Query time: 6 msec
>;; SERVER: 192.168.100.3#53(192.168.100.3)
>;; WHEN: Fri Jan  7 14:33:40 2005
>;; MSG SIZE  rcvd: 140
>;; Query time: 2 msec
>;; SERVER: 192.168.100.3#53(192.168.100.3)
>;; WHEN: Fri Jan  7 14:31:41 2005
>;; MSG SIZE  rcvd: 140

same


>
>Doesn't look like yours.
>
>Additional info.:
>
>OS:  CentOS 3.3
>Kerberos:  krb5-server-1.2.7-28, krb5-workstation-1.2.7-28, 
>krbafs-1.1.1-11 (all from rpm)
>Samba:  samba-3.0.7-1.3E.1      security=ads     (as I 
>mentioned previously,
>samba works, and this server has joined the domain successfully)
>DNS:   I'm using the Win2k box for DNS.

Thanks.  It is good that you joined properly.  Samba relies on Kerberos to perform the join operation. 

I am using krb5-workstation-1.3.6-2, samba-client-3.0.10-1, and pam_krb5-2.1.2-1.

krb5 1.2.7 might be problematic.  You may want to upgrade this package.

What version of pam_krb5 are you using?


>
>
>-----Original Message-----
>From: Shawn Iverson [mailto:shawn at nccsc.k12.in.us] 
>Sent: Friday, January 07, 2005 1:54 PM
>To: Dimitri Yioulos
>Cc: nagios-users at lists.sourceforge.net
>Subject: RE: [Nagios-users] Nagios Authentication with Active 
>Directory (Slightly Off-Topic)
>
>There's some info from comp.prototcols.kerberos (google 
>groups, see below)
>
>It sounds like you need to do the following to check your DNS kerberos
>configuration:
>
>dig _kerberos._udp.REALMNAMEFQDN srv
>dig _kerberos._tcp.REALMNAMEFQDN srv
>
>It sounds like error 52 should only ever occur when the srv 
>resource records for kerberos on your DNS server are set to 
>allow only UDP authentication.  I presume that when you 
>execute the latter command you might get an unexpected 
>response.  If so, you need to fix your srv resource records on 
>your DNS server to allow TCP.
>
>BTW, are you using DNS from your Windows 2003 Servers or from 
>another source?  Make sure you have only one kinit on your 
>system.  If none of this is helpful, send me details about 
>your version of kerberos that you are using, your OS, whether 
>you installed it as a package or as source, etc.
>
>Here is my DNS answer section for both (specifics removed):
>
>;; QUESTION SECTION:
>;_kerberos._tcp.MYREALM.	IN	SRV
>
>;; ANSWER SECTION:
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
>
>;; ADDITIONAL SECTION:
>XXXXXX.myrealm. 3600	IN	A	x.x.x.x
>XXXXXX.myrealm.	3600	IN	A	x.x.x.x
>
>;; Query time: 1 msec
>;; SERVER: x.x.x.x#53(x.x.x.x)
>;; WHEN: Fri Jan  7 13:34:47 2005
>;; MSG SIZE  rcvd: 504
>
>
>; <<>> DiG 9.2.4 <<>> _kerberos._udp.MYREALM srv
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7178
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, 
>ADDITIONAL: 2
>
>;; QUESTION SECTION:
>;_kerberos._udp.myrealm.	IN	SRV
>
>;; ANSWER SECTION:
>_kerberos._udp.MYREALM.	600 IN	SRV	0 100 88 
>xxxxxxx.nccsc.k12.in.us.
>_kerberos._udp.MYREALM.	600 IN	SRV	0 100 88 
>xxxxxxx.nccsc.k12.in.us.
>
>Etc...
>
>On Jun 10 2003, 5:02 pm Ken Raeburn on comp.protocols.kerberos wrote:
>>
>>
>>Uli Schröder <uli.schroe... at gmx.net> writes:
>>
>>
>>
>
><snip>
>
>
>>> Nevertheless if I do a kinit for my my normal account it fails with 
>>> error code 52. No change between krb5-1.2.7 and krb5-1.3.
>>
>>
>>Is it saying "KRB5 error code 52" exactly? That shouldn't be in the 
>>source code for the 1.3 snapshot. The error message is now "Response 
>>too big for UDP, retry with TCP", and shouldn't be displayed 
>unless the 
>>server sends that error code over a TCP connection, or the client 
>>library thinks that TCP service isn't available for some 
>reason, which 
>>should only happen if you have DNS SRV records that indicate only UDP 
>>service is available (try "dig _kerberos._udp.REALMNAME srv", and try 
>>with _tcp instead of _udp) and the config files don't list 
>the KDCs at 
>>all.
>
>On Jun 11 2003, 9:29 am Uli Schröder wrote on comp.protocols.kerberos: 
>
>>"Ken Raeburn" <raeb... at mit.edu> schrieb im Newsbeitrag 
>>news:tx1of15se7f.fsf at mit.edu...
>>
>>> ...
>>> > Nevertheless if I do a kinit for my my normal account it 
>fails with 
>>> > error code 52. No change between krb5-1.2.7 and krb5-1.3.
>>
>>> Is it saying "KRB5 error code 52" exactly? That shouldn't be in the 
>>> source code for the 1.3 snapshot. The error message is now 
>"Response 
>>> too big for UDP, retry with TCP", and shouldn't be displayed unless 
>>> the server sends that error code over a TCP connection, or 
>the client 
>>> library thinks that TCP service isn't available for some reason, 
>>> which should only happen if you have DNS SRV records that indicate 
>>> only UDP service is available (try "dig _kerberos._udp.REALMNAME 
>>> srv", and try with _tcp instead of _udp) and the config files don't 
>>> list the KDCs at all.
>>
>>
>>
>>I had another kinit in the my path. I wasn't aware of that. I 
>thought I 
>>had deleted all the old stuff. Now the new kinit workes great. I can 
>>use kinit with my own account. No more error 52! :)
>>
>
>Shawn Iverson
>
>On Friday, January 07, 2005 11:26 AM Dimitri wrote:
>
>>kinit user at YOUR.DOMAIN.ORG returns:
>>
>>kinit(v5): KRB5 error code 52 while getting initial credentials
>>
>>Does this error have to do with Windows kerberos ?
>>
>>Sorry, I know this isn't a kerberos-related mailing list, but
>>if you could tell me what I'm doing wrong, it would be greatly 
>>appreciated.  Googling doesn't produce anything useful.
>>
>>Dimitri
>>
>>
>
>
>
>-------------------------------------------------------
>The SF.Net email is sponsored by: Beat the post-holiday blues 
>Get a FREE limited edition SourceForge.net t-shirt from 
>ThinkGeek. It's fun and FREE -- well, 
>almost....http://www.thinkgeek.com/sfshirt
>_______________________________________________
>Nagios-users mailing list
>Nagios-users at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/nagios-users
>::: Please include Nagios version, plugin version (-v) and OS 
>when reporting any issue. 
>::: Messages without supporting info will risk being sent to /dev/null
>


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Plugin to check that process is running?
Next message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list