[29238] in Kerberos
Re: sso problems
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Tue Feb 12 16:00:48 2008
From: "Richard E. Silverman" <res@qoxp.net>
Date: Tue, 12 Feb 2008 15:47:16 -0500
Message-ID: <m2wsp9hpgr.fsf@darwin.oankali.net>
MIME-Version: 1.0
X-Complaints-To: abuse@speakeasy.net
X-DMCA-Complaints-To: abuse@speakeasy.net
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>
> hello folks,
> i have gone through the mail archive for suggestions but i can't seem
> to make headway. i am not sure what i am missing. am i supposed to
> export contents of krb5.keytab and copy them to the client systems?
> i can't even log on to the kerb server. the ssh session just drops to
> the console.
>
> would appreciate some help on this.
>
> thank you,
> john
>
> system: etch 32
> -----------------
> id will
> uid=4301(will) gid=4301(will) groups=4301(will)
>
> --------------------------
> pam
>
> grep krb5 /etc/pam.d/common-*
> /etc/pam.d/common-account: account required pam_krb5.so
> minimum_uid=1000 forwardable
> /etc/pam.d/common-auth:auth sufficient pam_krb5.so
> minimum_uid=1000 forwardable
> /etc/pam.d/common-password
> :password sufficient pam_krb5.so minimum_uid=1000 forwardable
> /etc/pam.d/common-session:session optional pam_krb5.so
> minimum_uid=1000 forwardable
>
>
>
> ---------------
> /etc/ssh/sshd_config
> KerberosAuthentication yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> -----
> /etc/ssh/ssh_config
>
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> -------------
>
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = FOO.BAR.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> FOO.BAR.COM = {
> kdc = foo.bar.com
> admin_server = foo.bar.com
> }
>
> [domain_realm]
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> [appdefaults]
> forwardable = true
> pam = {
> minimum_uid = 1000
> }
>
>
> --------
> /etc/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> FOO.BAR.COM = {
> database_name = /var/lib/krb5kdc/principal
> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/stash
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des:normal des:v4 des:norealm des:onlyrealm des:afs3
> default_principal_flags = +preauth, +forwardable
> kadmind_port = 749
> }
>
> [logging]
> kdc = FILE:/var/log/krb5kdc/kdc.log
> admin_server = FILE:/var/log/krb5kdc/kadmin.log
> ------------------------------------------
> kadmin.local listprinc
> K/M@FOO.BAR.COM
> testuser@FOO.BAR.COM
> host/test1.bar.com@FOO.BAR.COM
> host/test2.bar.com@FOO.BAR.COM
> host/test3.bar.com@FOO.BAR.COM
> host/test4.bar.com@FOO.BAR.COM
> kadmin/admin@FOO.BAR.COM
> kadmin/changepw@FOO.BAR.COM
> kadmin/history@FOO.BAR.COM
> kadmin/foo.bar.com@FOO.BAR.COM
> krbtgt/FOO.BAR.COM@FOO.BAR.COM
> will/admin@FOO.BAR.COM
>
> i have run ktadd -k /etc/krb5.keytab <hostname> for all the test
> clients on the kerbserver foo.bar.com
>
> i can run kinit will/admin on any of the client systems.
> --------------------------------
> test2:~# ssh will@test1 (fails
>
> test2:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: will/admin@FOO.BAR.COM
>
> Valid starting Expires Service principal
> 02/12/08 08:05:45 02/12/08 18:05:45 krbtgt/FOO.BAR.COM@FOO.BAR.COM
> renew until 02/13/08 08:05:42
> 02/12/08 08:05:53 02/12/08 18:05:45 host/test1.bar.com@FOO.BAR.COM
> renew until 02/13/08 08:05:42
Your /admin principal will typically not be authorized for login to you
Unix account; the default rule authorizes foo@REALM to access the Unix
account "foo". Use your regular principal, or if you really want to log
in with your admin principal, add both your regular and admin principals
to ~/.k5login on the server.
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> test2:~#
> --------------------
> from /var/log/krb5kdc.log on the kerbserver foo.
> Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes
> {rep=16 tkt=16 ses=16}, will/admin@foo.bar.com for
> host/test3.bar.com@foo.bar.com
--
Richard Silverman
res@qoxp.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
