Try these tests from your i5/OS system
All from QSH
kinit <your windows userID>
at the prompt type your windows password.
If that works it means communication between i5/OS and the domain
controller is working normally.
keytab list
This will give you a dump of the entries in your keytab file.
Copy the krbsvr/<your i5/OS FQDN>@<YOUR FULLY QUALIFIED WINDOWS DOMAIN
NAME> into the paste buffer
kinit -k <paste the contents of the paste buffer here>
This uses the password from the keytab file
This will probably fail based on your comments below
kinit <paste the contents of the paste buffer here>
Note: same command as above but remove the "-k" parameter
This will prompt you for the password. Type the password exactly as you
entered it.
If this works, the keytab file on i5/OS must have been changed by someone
after you ran the wizard.
If this doesn't work because the password is incorrect, then you have a
password mismatch. If you didn't run the ".bat" file yourself on the
Windows domain controller, what may have happened is that you chose a
password (when running the NAS config wizard) that did not meet the
windows password rules. The Windows Admin probably changed the password in
the bat file to meet those naming conventions.
Patrick Botz
Security Architecture Consulting & Implementation
IBM Systems and Technology Group Lab Services
mail: botz@xxxxxxxxxx
phone: 507.253.0917 / mobile: 507.250.5644
ibm.com/servers/eserver/services
ALopez@xxxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
04/27/2007 07:08 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
midrange-l@xxxxxxxxxxxx
cc
Subject
Re: EIM / LDAP
You shouldn't have to configure LDAP before using the Wizard to create
an
EIM domain.
If you don't know the administrator ID and/or password, use iSeries
Navigator, Network, Servers, TCP/IP. Scroll to the bottom of the list
and
you'll find IBM Directory Server. Double-click it. (Make sure you
connect to the system as QSECOFR).
You'll see a multi-panel window. On the General panel in the middle of
the
page is "Administrator information". You can change the administrator
ID
(make sure whatever you change it to starts with "cn=" followed by
whatever name you want). Press the "Password..." button and you can set
the password to whatever you want.
Thanks for those tips, I'll file those away. I was able to get the wizard
to work by using "Unconfigure" on IBM Directory Server, then relaunching
the wizard to create an EIM domain.
Everything looks good when using the QSH commands to verify setup. When
trying to enable 5250 Kerberos authentication I get CWBSY1017 - rc=612
errors. The redbook indicates that this means "the password for the
secret key entered on the KDC did not match the password provided when
running the Network Authentication Service wizard that created the key." I
don't see how this could be, as we used the batch file created by wizard
to update the KDC.
I'm currently waiting for our business partner/Arrow/IBM to resolve our
software support. The business partner and Arrow say that we have
support. IBM says that the contract is "not signed", meaning that the
entitlement team says something is missing, but of course can't tell me
what is missing.
In the meantime we look like jackasses: we tell management we can enable
SSO once we have a Windows 2000 domain. We get approval, we implement the
new domain, and now we can't tell them why SSO isn't working, when it will
be working or even when we will be able to work on the issue.
I'd find another line of work, but I'm addicted to the glamour, prestige
and acclaim that come from working in I/S..... :)
midrange.com
