[29234] in Kerberos
sso problems
daemon@ATHENA.MIT.EDU (john smith)
Tue Feb 12 11:47:16 2008
Message-ID: <3a1324ab0802120845l73691e39uee1d39bd7efb458e@mail.gmail.com>
Date: Tue, 12 Feb 2008 11:45:52 -0500
From: "john smith" <jsmithk08@gmail.com>
To: Kerberos <kerberos@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
hello folks,
i have gone through the mail archive for suggestions but i can't seem
to make headway. i am not sure what i am missing. am i supposed to
export contents of krb5.keytab and copy them to the client systems?
i can't even log on to the kerb server. the ssh session just drops to
the console.
would appreciate some help on this.
thank you,
john
system: etch 32
-----------------
id will
uid=4301(will) gid=4301(will) groups=4301(will)
--------------------------
pam
grep krb5 /etc/pam.d/common-*
/etc/pam.d/common-account: account required pam_krb5.so
minimum_uid=1000 forwardable
/etc/pam.d/common-auth:auth sufficient pam_krb5.so
minimum_uid=1000 forwardable
/etc/pam.d/common-password
:password sufficient pam_krb5.so minimum_uid=1000 forwardable
/etc/pam.d/common-session:session optional pam_krb5.so
minimum_uid=1000 forwardable
---------------
/etc/ssh/sshd_config
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
-----
/etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
-------------
/etc/krb5.conf
[libdefaults]
default_realm = FOO.BAR.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
FOO.BAR.COM = {
kdc = foo.bar.com
admin_server = foo.bar.com
}
[domain_realm]
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
}
--------
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
FOO.BAR.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth, +forwardable
kadmind_port = 749
}
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log
------------------------------------------
kadmin.local listprinc
K/M@FOO.BAR.COM
testuser@FOO.BAR.COM
host/test1.bar.com@FOO.BAR.COM
host/test2.bar.com@FOO.BAR.COM
host/test3.bar.com@FOO.BAR.COM
host/test4.bar.com@FOO.BAR.COM
kadmin/admin@FOO.BAR.COM
kadmin/changepw@FOO.BAR.COM
kadmin/history@FOO.BAR.COM
kadmin/foo.bar.com@FOO.BAR.COM
krbtgt/FOO.BAR.COM@FOO.BAR.COM
will/admin@FOO.BAR.COM
i have run ktadd -k /etc/krb5.keytab <hostname> for all the test
clients on the kerbserver foo.bar.com
i can run kinit will/admin on any of the client systems.
--------------------------------
test2:~# ssh will@test1 (fails
test2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: will/admin@FOO.BAR.COM
Valid starting Expires Service principal
02/12/08 08:05:45 02/12/08 18:05:45 krbtgt/FOO.BAR.COM@FOO.BAR.COM
renew until 02/13/08 08:05:42
02/12/08 08:05:53 02/12/08 18:05:45 host/test1.bar.com@FOO.BAR.COM
renew until 02/13/08 08:05:42
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
test2:~#
--------------------
from /var/log/krb5kdc.log on the kerbserver foo.
Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes
{rep=16 tkt=16 ses=16}, will/admin@foo.bar.com for
host/test3.bar.com@foo.bar.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
