× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2007

Re: EIM / LDAP

In the AD Admin GUI, find the user accounts for the iSeries system.

Display the properties. Under the account tab in the scroll window on the
bottom half of the page, find the "Use DES encryption" check box. It
should be checked. If not, check it. Then try the tests again.




Patrick Botz


Security Architecture Consulting & Implementation

IBM Systems and Technology Group Lab Services

mail: botz@xxxxxxxxxx

phone: 507.253.0917 / mobile: 507.250.5644



ibm.com/servers/eserver/services



midrange-l-bounces@xxxxxxxxxxxx wrote on 04/27/2007 11:30:21 AM:

All from QSH
kinit <your windows userID>
at the prompt type your windows password.
If that works it means communication between i5/OS and the domain
controller is working normally.

Interesting, the Redbook (on pages 109 - 110) doesn't mention this step.
I
fail right here with a EUVF06014E Unable to obtain initial credentials.
Status 0x96c73a0e - Encryption type is not supported.

Unfortunately, while I can Google the error message, nothing shows up
for
this status message.

NAS properties shows that I have the following checksum types:
Application: rsa-md5
KDC: rsa-md5
Safe: rsa-md5-des

"Use new algorithm for rsa-md5-des" is checked.

Under tickets, I show the same selected encryption types for Initial
Ticket and Ticket Granting Service:
des-cbc-crc
des-cbc-md5

All those are the defaults shown in the Redbook.

keytab list
This will give you a dump of the entries in your keytab file.
Copy the krbsvr/<your i5/OS FQDN>@<YOUR FULLY QUALIFIED WINDOWS DOMAIN

NAME> into the paste buffer

This works, and returns principals for krbsvr400, ldap, etc.

kinit -k <paste the contents of the paste buffer here>
This uses the password from the keytab file
This will probably fail based on your comments below

This completes successfully.

kinit <paste the contents of the paste buffer here>
Note: same command as above but remove the "-k" parameter
This will prompt you for the password. Type the password exactly as
you
entered it.

This also completes without an error.

If this works, the keytab file on i5/OS must have been changed by
someone
after you ran the wizard.
If this doesn't work because the password is incorrect, then you have
a
password mismatch. If you didn't run the ".bat" file yourself on the
Windows domain controller, what may have happened is that you chose a
password (when running the NAS config wizard) that did not meet the
windows password rules. The Windows Admin probably changed the
password
in
the bat file to meet those naming conventions.

The admin ran the batch file under my supervision. We ran two batch
files, as the first one did not include a principal for ldap. The
second
one used the same password as the first [with all passwords for all
principals being the same...].

--

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.