From Matthew.GARRETT at external.total.com Mon Jun 1 10:28:09 2009 From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com) Date: Mon, 1 Jun 2009 15:28:09 +0100 Subject: Solaris 8 Kerberos / Ldap Client Setup In-Reply-To: <4A0D791D.40400@anl.gov> Message-ID: Folks I am still getting problems with Kerberos on Sun Solaris 8 So far I have installed http://www.eyrie.org/~eagle/software/pam-krb5/ Pam module With /etc/pam.conf set to debug mode I get the following Jun 1 15:17:10 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 Jun 1 15:17:10 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_authenticate Jun 1 15:17:10 bruce login: [ID 305314 auth.debug] load_modules: /usr/local/lib/security/pam_krb5.so.1 Jun 1 15:17:10 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_authenticate Jun 1 15:17:14 bruce login: [ID 859314 auth.debug] pam_set_item(2) Jun 1 15:17:19 bruce login: [ID 859314 auth.debug] pam_set_item(6) Jun 1 15:17:19 bruce login: [ID 427203 auth.debug] pam_authenticate: error Authentication failed Jun 1 15:17:19 bruce login: [ID 584047 auth.debug] (pam_krb5): none: pam_sm_authenticate: entry (0x0) Jun 1 15:17:19 bruce login: [ID 584047 auth.debug] (pam_krb5): mgarrett: attempting authentication as mgarrett at UK.AD.EP.CORP.LOCAL Jun 1 15:17:19 bruce login: [ID 859314 auth.debug] pam_set_item(2) Jun 1 15:17:19 bruce login: [ID 584047 auth.debug] (pam_krb5): mgarrett: pam_sm_authenticate: exit (success) Jun 1 15:17:19 bruce login: [ID 859314 auth.debug] pam_set_item(6) Jun 1 15:17:23 bruce login: [ID 859314 auth.debug] pam_set_item(2) Jun 1 15:17:23 bruce login: [ID 859314 auth.debug] pam_set_item(8) Jun 1 15:17:23 bruce login: [ID 859314 auth.debug] pam_set_item(9) Which I belive is say Password was correct and should be able to login ? However I do not get a login prompt. As root doing a su - mgarrett I get the following Jun 1 15:25:52 bruce su: [ID 366847 auth.info] 'su mgarrett' succeeded for root on /dev/pts/1 Jun 1 15:25:52 bruce su[4524]: [ID 942022 auth.debug] pam_setcred() Jun 1 15:25:52 bruce su[4524]: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 Jun 1 15:25:52 bruce su[4524]: [ID 265225 auth.debug] load_function: successful load of pam_sm_setcred Jun 1 15:25:52 bruce su[4524]: [ID 305314 auth.debug] load_modules: /usr/local/lib/security/pam_krb5.so.1 Jun 1 15:25:52 bruce su[4524]: [ID 265225 auth.debug] load_function: successful load of pam_sm_setcred Jun 1 15:25:52 bruce su[4524]: [ID 584047 auth.debug] (pam_krb5): none: pam_sm_setcred: entry (0x1) Jun 1 15:25:52 bruce su[4524]: [ID 584047 auth.debug] (pam_krb5): none: no context found, creating one Jun 1 15:25:52 bruce su[4524]: [ID 584047 auth.debug] (pam_krb5): mgarrett: unable to get PAM_KRB5CCNAME, assuming non-Kerberos login Jun 1 15:25:52 bruce su[4524]: [ID 584047 auth.debug] (pam_krb5): none: pam_sm_setcred: exit (ignore) Jun 1 15:25:52 bruce su[4524]: [ID 690057 auth.debug] pam_end(): status = Success Can any body shed any further light on this problem. Thanks Matthew Registered in England and Wales No.811900????????? Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.? If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. From hubert.chomette at unilim.fr Tue Jun 2 02:34:49 2009 From: hubert.chomette at unilim.fr (Hubert Chomette) Date: Tue, 2 Jun 2009 08:34:49 +0200 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> <87tz3invfj.fsf@windlord.stanford.edu> <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> <87my99askc.fsf@windlord.stanford.edu> <87ws8cap9c.fsf@windlord.stanford.edu> Message-ID: Ok Thank's all for your help I 'll try this. ps: I try debian experimental package version of libkrb53, pam_migrate and same issue. When added to the common-auth, It just hung the console when someone try to login. Le 20 mai 09 ? 01:01, Marcus Watts a ?crit : >> Date: Tue, 19 May 2009 12:03:59 PDT >> To: kerberos at mit.edu >> From: Russ Allbery >> Subject: Re: NIS => Kerberos/LDAP Migration >> >> Marcus Watts writes: >> >>> I'm not sure I understand why >>> Authen::Krb5::Admin >>> http://search.cpan.org/~korty/Authen-Krb5-Admin-0.11/Admin.pm >>> is a problem. I've run it with various incarnations of MIT 1.4.3 / >>> 1.6.3 for a while now. Ok, they weren't stock, but I don't >>> remember doing >>> anything special to export the necessary kadm5 functions. The >>> only messy >>> bit is that Authen::Krb5::Admin provides its own header files for >>> the MIT >>> functions - that sucks, but that having been said, it basically >>> works. >>> Is there something special about debian's MIT kerberos libraries? >> >> That works -- you just can't use it in a PAM module. PAM modules >> generally need to be C. I suppose you could embed a Perl >> interpreter in >> a PAM module, but that terrifies me. You could also write a PAM >> module >> that talks to something written in Perl via a local socket or >> something, >> but now you're getting into a fair bit of coding. > > Perl would certainly have a startup cost, so yes, not ideal. > > There are pam modules that exec programs -- pam_exec, and > pam_unix + unix_chkpwd. Neither of them is quite right for > this, and exec'ing a program is ugly, but perhaps possible > (depending on which application(s) need to use this.) > > Using c/remctl in pam, then invoking a perl script would be > relatively trivial - although running perl like that is still > going to incur the startup cost. Running perl once and not > on each authentication attempt is going to need some form of ipc, > be it local sockets or whatever. > > To do the local socket thing in perl, this perl module > is useful: > Socket::MsgHdr > http://search.cpan.org/~mjp/Socket-MsgHdr-0.01/MsgHdr.pm > > It's quite possible to write servers or clients in perl that > use local (unix domain) sockets. In some existing code, > I seem to have used about 350 lines of perl (and the above > module) to do most of the socket management and argument > packing/unpacking. > > ... > > For a completely different solution: if you were willing to modify the > kdc/kadmin as well as the client, and really weren't at all afraid of > coding, you could add a "crypt salt" type, and simply import your nis > password database directly into your kerberos database. I did this > at one point (with an experimental crypto system based on cast-5); it > took me approximately 360 extra lines in just 5 files to handle this. > Of course, the devil is in the details, and this was *not* a stock > kerberos code base. > > Personally, if I was going for the simplest least code approach, I'd > use > the "steal the headers" approach and just call kadm5 from inside the > pam > module. I might set up a special service principal that is acl'd to > only be able to invoke "ank". > > If I was going for "most secure", I'd have a separate daemon that > validated the password matched the crypt string from nis, then > created a kerberos principal that matched. perl5 might actually > be ok for the separate daemon. > > -Marcus Watts > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From max at mascanc.net Tue Jun 2 09:28:32 2009 From: max at mascanc.net (max@mascanc.net) Date: Tue, 02 Jun 2009 15:28:32 +0200 Subject: Kerberos Administration Protocol Message-ID: Hi, I'm looking for an open source Java implementation for the Kerberos administration protocol, for changing password, getprinc, delete_principal and so on. The main goals for kadmin, for the MIT implementation. Are there any libraries? If no, I would try to do an adHoc implementation. Are there documents? The only draft that I can see is http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 Thanks, Massimiliano From tlyu at MIT.EDU Tue Jun 2 11:24:59 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 02 Jun 2009 11:24:59 -0400 Subject: krb5-1.7 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.7. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.7 ================================= You may retrieve the Kerberos 5 Release 1.7 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.7 release is: http://web.mit.edu/kerberos/krb5-1.7/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default to "false" in the future. Additional migration aids are planned for future releases. Major changes in 1.7 ==================== The krb5-1.7 release contains a large number of changes, featuring improvements in the following broad areas: * Compatibility with Microsoft Windows * Administrator experience * User experience * Code quality * Protocol evolution Compatibility with Microsoft Windows: * Follow client principal referrals in the client library when obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. * Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. * Support Microsoft set/change password (RFC 3244) protocol in kadmind. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. Administrator experience: * Install header files for the administration API, allowing third-party software to manipulate the KDC database. * Incremental propagation support for the KDC database. * Master key rollover support, making it easier to change master key passwords or encryption types. * New libdefaults configuration variable "allow_weak_crypto". NOTE: Currently defaults to "true", but may default to "false" in a future release. Setting this variable to "false" will have the effect of removing weak enctypes (currently defined to be all single-DES enctypes) from permitted_enctypes, default_tkt_enctypes, and default_tgs_enctypes. User experience: * Provide enhanced GSS-API error message including supplementary details about error conditions. * In the replay cache, use a hash over the complete ciphertext to avoid false-positive replay indications. Code quality: * Replace many uses of "unsafe" string functions. While most of these instances were innocuous, they impeded efficient automatic and manual static code analysis. * Fix many instances of resource leaks and similar bugs identified by static analysis tools. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. Protocol evolution: * Remove support for version 4 of the Kerberos protocol (krb4). * Encryption algorithm negotiation (RFC 4537), allowing clients and application services to negotiate stronger encryption than their KDC supports. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attacks on weak user passwords. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkolRFIACgkQSO8fWy4vZo51VwCg2KSwpAhTACsyFSNES1YBdf+P K9YAnj1UfrA/n/mv2Ejl+813aZcjluPT =YKGy -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce From mdw at umich.edu Tue Jun 2 12:03:08 2009 From: mdw at umich.edu (Marcus Watts) Date: Tue, 02 Jun 2009 12:03:08 -0400 Subject: Kerberos Administration Protocol In-Reply-To: References: Message-ID: > Date: Tue, 02 Jun 2009 15:28:32 +0200 > To: kerberos at mit.edu > From: "max at mascanc.net" > Subject: Kerberos Administration Protocol > > Hi, > > I'm looking for an open source Java implementation for the Kerberos > administration protocol, for changing password, getprinc, > delete_principal and so on. The main goals for kadmin, for > the MIT implementation. > > Are there any libraries? > > If no, I would try to do an adHoc implementation. Are there > documents? The only draft that I can see is > > http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 > > Thanks, > > > Massimiliano As it happens, I do have something that might be the start at this. It could stand a bit more "polishing" before being released, and at the moment, it's not on our priority list. If this is something of interest to you, we should certainly talk. You won't be at afsbpw 2009, by any chance? What I have does: chpass chrand createpolicy create deletepolicy deleteprinc getpolicies getpolicy getprinc getprincs modifypolicy modifyprincipal renameprinc setkeyprincipal It's mostly java code, including most of the xdr to implement the above. Some basic stuff is in C / JNI - including gssapi proper. At one point I thought I had located a suitable open source java implementation of sun rpc - I hope it still exists. Implementing rpcsec-gss on top of it may not be simple. -Marcus Watts From ahamberger at unitec.ac.nz Tue Jun 2 17:18:22 2009 From: ahamberger at unitec.ac.nz (Andreas Hamberger) Date: Wed, 03 Jun 2009 09:18:22 +1200 Subject: --with-edirectory compile error In-Reply-To: References: <4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz><4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz> (Andreas Hamberger's message of "Fri, 29 May 2009 11:43:27 +1200") Message-ID: <4A263FDE020000540001E3D3@gwia1.unitec.ac.nz> Hi Tom I am getting the same error on 1.6.3 and even 1.5.4 Regards Andreas Hamberger Mobile: +64 21 2840435 Unitec Design Team>>> Tom Yu 30/05/2009 1:57 a.m. >>> "Andreas Hamberger" writes: > Hello There > > I am trying to compile 1.6.3 with edirectory support as Novell has told > us that this is now all in MIT kerberos and supported there. I get the > following compile error, which I also get using the latest trunk. Any > help is appreciated. > > > kdb5_ldap_services.c: In function ?rem_service_entry_from_file?: > kdb5_ldap_services.c:1143: warning: ignoring return value of ?link?, > declared with attribute warn_unused_result > kdb5_ldap_services.c: In function ?generate_random_password?: > kdb5_ldap_services.c:1500: warning: comparison between signed and > unsigned > kdb5_ldap_services.c: In function ?kdb5_ldap_set_service_password?: > kdb5_ldap_services.c:1728: error: ?struct data? has no member named > ?data? > kdb5_ldap_services.c:1853: warning: ignoring return value of ?link?, > declared with attribute warn_unused_result > make[2]: *** [kdb5_ldap_services.o] Error 1 > make[2]: Leaving directory > `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap/ldap_util' > make[1]: *** [all-recurse] Error 1 > make[1]: Leaving directory > `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap' > make: *** [all-recurse] Error 1 The above looks like it comes from compiling on the trunk. That particular compilation error does not occur on the krb5-1.6 branch. What error were you getting when compiling 1.6.3? From tlyu at MIT.EDU Tue Jun 2 17:26:31 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 02 Jun 2009 17:26:31 -0400 Subject: --with-edirectory compile error In-Reply-To: <4A263FDE020000540001E3D3@gwia1.unitec.ac.nz> (Andreas Hamberger's message of "Wed, 03 Jun 2009 09:18:22 +1200") References: <4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz> <4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz> <4A263FDE020000540001E3D3@gwia1.unitec.ac.nz> Message-ID: "Andreas Hamberger" writes: > Hi Tom > > I am getting the same error on 1.6.3 and even 1.5.4 There was an invalid member reference on the trunk, fixed in r22395. It was not present in the 1.6.x and 1.5.x releases. For those earlier releases, a link error might occur instead. I can't reproduce the "invalid member" error on 1.6.x sources. What OS are you compiling for, and are you compiling unmodified MIT sources? > > > > > > Regards > > Andreas Hamberger > Mobile: +64 21 2840435 > Unitec Design Team>>> Tom Yu 30/05/2009 1:57 a.m. >>> > "Andreas Hamberger" writes: > >> Hello There >> >> I am trying to compile 1.6.3 with edirectory support as Novell has > told >> us that this is now all in MIT kerberos and supported there. I get > the >> following compile error, which I also get using the latest trunk. > Any >> help is appreciated. >> >> >> kdb5_ldap_services.c: In function ?rem_service_entry_from_file?: >> kdb5_ldap_services.c:1143: warning: ignoring return value of ?link?, >> declared with attribute warn_unused_result >> kdb5_ldap_services.c: In function ?generate_random_password?: >> kdb5_ldap_services.c:1500: warning: comparison between signed and >> unsigned >> kdb5_ldap_services.c: In function ?kdb5_ldap_set_service_password?: >> kdb5_ldap_services.c:1728: error: ?struct data? has no member named >> ?data? >> kdb5_ldap_services.c:1853: warning: ignoring return value of ?link?, >> declared with attribute warn_unused_result >> make[2]: *** [kdb5_ldap_services.o] Error 1 >> make[2]: Leaving directory >> `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap/ldap_util' >> make[1]: *** [all-recurse] Error 1 >> make[1]: Leaving directory >> `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap' >> make: *** [all-recurse] Error 1 > > The above looks like it comes from compiling on the trunk. That > particular compilation error does not occur on the krb5-1.6 branch. > What error were you getting when compiling 1.6.3? > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From Guillaume.Rousse at inria.fr Wed Jun 3 11:05:07 2009 From: Guillaume.Rousse at inria.fr (Guillaume Rousse) Date: Wed, 03 Jun 2009 17:05:07 +0200 Subject: krb5_aname_to_localname() issue Message-ID: <4A269123.7030204@inria.fr> Hello list. We use apache-mod_auth_kerb 5.4, with KrbLocalUserMapping directive, allowing to map foo at REALM user string to foo, through krb5_aname_to_localname() function. However, while it works perfectly with principal from the local domains, it doesn't with principal from other domains, for which a trust relationship is established: krb5_aname_to_localname() found no mapping for principal garet at LILLE.FUTURS.INRIA.FR According to krb5_aname_to_localname man page, this is quite normal: This function takes a principal name, verifies that it is in the local realm (using krb5_get_default_realms()) The man page for krb5_get_default_realms() seems to imply there could be several default realms, but I didn't found any way to configure it in krb5.conf (default_realm only takes one). So, how can I also map principals from other trusted realms ? -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - ?le-de-France Parc Orsay Universit?, 4 rue J. Monod 91893 Orsay Cedex France Tel: 01 69 35 69 62 From chriscorbell at gmail.com Tue Jun 2 19:12:17 2009 From: chriscorbell at gmail.com (Chris) Date: Tue, 2 Jun 2009 16:12:17 -0700 (PDT) Subject: second keytab for similar service (but different SPN/IP) breaks the first Message-ID: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> This is perhaps a little higher-level problem than Kerberos proper but I wanted to at least see if I was taking the correct approach as far as Kerberos is concerned. I have a service - it's a kerberized java webservice with a very specific function, and it does GSSAPI validation of client login requests, where the clients have obtained tickets to my service. It's working fine with either Microsoft AD or Apple Open Directory (MIT Kerberos) - basically I create an account for the service, create an SPN in the form servicename/ip-address at REALM, and then generate a keytab for the SPN which gets configured for JAAS on the service host machine. What I can't seem to do with this approach is to generate keytabs for two service instances in the same realm, e.g. if two different departments each want their own deployment of my service. With the keytab tools included in both Microsfot AD and Apple Open Directory (MIT), just generating an additional keytab for a different SPN (but the same directory service account) breaks the authentication of the first one. In step-by-step terms: - my service is called "fooservice", I create and AD or OD account called "fooservice" - I add an SPN for fooservice using this name plus the IP address and realm, e.g. "fooservice/ip-addr-1 at REALM" - I generate a keytab for this SPN and add it to fooservice running on ip-addr-1; everything is working, clients can authenticate - I add another SPN for fooservice because I want to run another fooservice on a different machine, "fooservice/ip-addr-2 at REALM" - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1 stops working (can no longer establish its own credentials based on keytab, & therefore can't accept client contexts). It seems to be actually generating the keytab file - not just adding an additional SPN - that does this. However I can at this point use the new keytab for the fooservice running on ip-addr-2. So it seems that with both Active Directory's Kerberos and Open Directory's (MIT) Kerberos I cannot have two instances of "fooservice" kerberized on different IP addresses against distinct SPN's associated with the same service account... but there are numerous examples on the web of this being done e.g. with a single "http" account and multiple "http/ip-addr..." SPN's for multiple web servers on your network. Am I right in thinking what I'm trying should be possible, and if so is there some nuance of generating the keytab that I'm not following that causes the first keytab to stop working? Many thanks. - Chris From max at mascanc.net Wed Jun 3 05:58:07 2009 From: max at mascanc.net (max@mascanc.net) Date: Wed, 03 Jun 2009 11:58:07 +0200 Subject: Kerberos Administration Protocol In-Reply-To: References: Message-ID: Hi, Marcus Watts ha scritto: > As it happens, I do have something that might be the start at this. > It could stand a bit more "polishing" before being released, > and at the moment, it's not on our priority list. If this is > something of interest to you, we should certainly talk. Yes of course. It seems to be interesting. I saw yesterday that Quest software is selling java code for Kerberos Administration. But there is no draft for the protocol? > You won't be at afsbpw 2009, by any chance? Yes, Mr. Alberto Mancini is there, I'll not participate. He is part of the project. From tlyu at MIT.EDU Wed Jun 3 12:01:04 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 03 Jun 2009 12:01:04 -0400 Subject: second keytab for similar service (but different SPN/IP) breaks the first In-Reply-To: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> (chriscorbell@gmail.com's message of "Tue, 2 Jun 2009 16:12:17 -0700 (PDT)") References: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> Message-ID: Chris writes: > This is perhaps a little higher-level problem than Kerberos proper but > I wanted to at least see if I was taking the correct approach as far > as Kerberos is concerned. > > I have a service - it's a kerberized java webservice with a very > specific function, and it does GSSAPI validation of client login > requests, where the clients have obtained tickets to my service. It's > working fine with either Microsoft AD or Apple Open Directory (MIT > Kerberos) - basically I create an account for the service, create an > SPN in the form servicename/ip-address at REALM, and then generate a > keytab for the SPN which gets configured for JAAS on the service host > machine. > > What I can't seem to do with this approach is to generate keytabs for > two service instances in the same realm, e.g. if two different > departments each want their own deployment of my service. With the > keytab tools included in both Microsfot AD and Apple Open Directory > (MIT), just generating an additional keytab for a different SPN (but > the same directory service account) breaks the authentication of the > first one. > > In step-by-step terms: > - my service is called "fooservice", I create and AD or OD account > called "fooservice" > - I add an SPN for fooservice using this name plus the IP address and > realm, e.g. "fooservice/ip-addr-1 at REALM" > - I generate a keytab for this SPN and add it to fooservice running on > ip-addr-1; everything is working, clients can authenticate > - I add another SPN for fooservice because I want to run another > fooservice on a different machine, "fooservice/ip-addr-2 at REALM" > - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1 > stops working (can no longer establish its own credentials based on > keytab, & therefore can't accept client contexts). It seems to be > actually generating the keytab file - not just adding an additional > SPN - that does this. However I can at this point use the new keytab > for the fooservice running on ip-addr-2. > > So it seems that with both Active Directory's Kerberos and Open > Directory's (MIT) Kerberos I cannot have two instances of "fooservice" > kerberized on different IP addresses against distinct SPN's associated > with the same service account... but there are numerous examples on > the web of this being done e.g. with a single "http" account and > multiple "http/ip-addr..." SPN's for multiple web servers on your > network. > > Am I right in thinking what I'm trying should be possible, and if so > is there some nuance of generating the keytab that I'm not following > that causes the first keytab to stop working? The process for generating keytabs have historically taken great pains to generate a completely new random key. Being able to generate a keytab containing the existing key is a security risk, as it allows for the undetected compromise of any further authentication or communications using that key. It seems that AD and OD are treating the two instances of "fooservice" as the same account, and thus making them have the same key. If there are two computers running different instances of a similar service, shouldn't they have different computer accounts? From raeburn at MIT.EDU Wed Jun 3 12:06:55 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 3 Jun 2009 12:06:55 -0400 Subject: second keytab for similar service (but different SPN/IP) breaks the first In-Reply-To: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> References: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> Message-ID: On Jun 2, 2009, at 19:12, Chris wrote: > So it seems that with both Active Directory's Kerberos and Open > Directory's (MIT) Kerberos I cannot have two instances of "fooservice" > kerberized on different IP addresses against distinct SPN's associated > with the same service account... but there are numerous examples on > the web of this being done e.g. with a single "http" account and > multiple "http/ip-addr..." SPN's for multiple web servers on your > network. > > Am I right in thinking what I'm trying should be possible, and if so > is there some nuance of generating the keytab that I'm not following > that causes the first keytab to stop working? It sounds like it ought to work fine, in general. Is the first machine also the KDC? Could you perhaps be overwriting its keytab file when you generate the keytab for the second machine? You mention "a different machine" in one place, but everywhere else you're only talking about different IP addresses. If in fact it's the same machine, you need to merge the keytab files with the ktutil program (read from one, read from the other, write out the combined result), or extract keys for both services at once into one keytab file. (And, BTW, I assume you're aware that the principal names are supposed to use host names and not literal IP addresses?) Or, use environment variables to point the two instances of the service at different keytab files. If these aren't the problems, try narrowing it down: If a client gets credentials for talking to the service at ip-addr-1 and uses them successfully before the keytab for ip-addr-2 is created, can it use those same credentials after the keytab is created? If not, it's the service on ip-addr-1 that's been broken, because the KDC is not involved with the second authentication attempt to ip-addr-1 at that point. If it can use them, but you can't get new working credentials for the service at ip-addr-1, that's a different problem.... -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From ioplex at gmail.com Wed Jun 3 12:23:06 2009 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 3 Jun 2009 12:23:06 -0400 Subject: second keytab for similar service (but different SPN/IP) breaks the first In-Reply-To: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> References: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> Message-ID: <78c6bd860906030923t39bc2977y9dcf4eb9519c9826@mail.gmail.com> On Tue, Jun 2, 2009 at 7:12 PM, Chris wrote: > So it seems that with both Active Directory's Kerberos and Open > Directory's (MIT) Kerberos I cannot have two instances of "fooservice" > kerberized on different IP addresses against distinct SPN's associated > with the same service account.. You really should create separate service accounts for each instance of the service. In theory you might be able to shoehorn it so that two instances of the service can use the same service account but the convention is to simply create a separate account for each instance of the service. As for why it's failing, it's not clear from your description. But if you use ktpass.exe for example, I don't think you can generate a keytab file with multiple keys (for each SPN) so whenever you set the password using ktpass that will immediately invalidate any previously generated keytab. > but there are numerous examples on > the web of this being done e.g. with a single "http" account and > multiple "http/ip-addr..." SPN's for multiple web servers on your > network. But they're for the same service instance. So one service -> one service account. > Am I right in thinking what I'm trying should be possible, and if so > is there some nuance of generating the keytab that I'm not following > that causes the first keytab to stop working? In theory I think you might be able to generate a single keytab file that has all of the required SPNs. But you would have to use something like ktutil and set the password separately on Windows using the conventional way and not ktpass and also manually add the SPNs. It's probably not worth it. And you might not even be able to do it. One of the Kerberos gurus might be able to tell you how. Again, just create separate accounts and be done with it. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From awilliam at mdah.state.ms.us Wed Jun 3 13:01:14 2009 From: awilliam at mdah.state.ms.us (Adam Williams) Date: Wed, 03 Jun 2009 12:01:14 -0500 Subject: kprop error Message-ID: <4A26AC5A.10703@mdah.state.ms.us> I'm using the howto at http://www-theorie.physik.unizh.ch/~dpotter/howto/kerberos, but I'm getting the following error when trying to copy the database to the slave kerberos server: [root at roark krb5kdc]# kprop -f /var/kerberos/krb5kdc/slave_datatrans archives3.mdah.state.ms.us kprop: Decrypt integrity check failed while getting initial ticket I've google searched on the error and other people have the problem, but I wasn't able to find a fix that worked for me. Both the master (roark) and the slave (archives3) are Fedora 10 x86_64, kpropd is running on archives3 and I can telnet and connect to port 754 on archives3. On archives3, /var/kerberos/krb5kdc/kpropd.acl has: host/roark.mdah.state.ms.us at MDAH.STATE.MS.US host/archives3.mdah.state.ms.us at MDAH.STATE.MS.US and I copied /etc/krb5.conf, /var/kerberos/krb5kdc/kdc.conf, /var/kerberos/krb5kdc/kadm5.acl, and /etc/gssapi_mech.conf from roark to archives3. My /etc/krb5.conf is: [libdefaults] default_realm = MDAH.STATE.MS.US dns_lookup_realm = false dns_lookup_kdc = false clockskew = 120 [realms] MDAH.STATE.MS.US = { kdc = roark.mdah.state.ms.us:88 kdc = archives3.mdah.state.ms.us:88 admin_server = roark.mdah.state.ms.us:749 default_domain = mdah.state.ms.us } [domain_realm] .mdah.state.ms.us = MDAH.STATE.MS.US mdah.state.ms.us = MDAH.STATE.MS.US [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } kinit = { ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true } any ideas on why I'm getting that error and how to fix it? From paul.moore at centrify.com Wed Jun 3 13:28:10 2009 From: paul.moore at centrify.com (Paul Moore) Date: Wed, 3 Jun 2009 10:28:10 -0700 Subject: second keytab for similar service (but different SPN/IP) breaks the first In-Reply-To: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> References: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> Message-ID: certainly in AD the two SPN are 'hosted' the same 'real' principal. Generating the second keytab will reset the password on that single account and so invalidate the first keytab either use 2 different principals or tell the AD keytab utility to use a specific password that you decide -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Chris Sent: Tuesday, June 02, 2009 4:12 PM To: kerberos at mit.edu Subject: second keytab for similar service (but different SPN/IP) breaks the first This is perhaps a little higher-level problem than Kerberos proper but I wanted to at least see if I was taking the correct approach as far as Kerberos is concerned. I have a service - it's a kerberized java webservice with a very specific function, and it does GSSAPI validation of client login requests, where the clients have obtained tickets to my service. It's working fine with either Microsoft AD or Apple Open Directory (MIT Kerberos) - basically I create an account for the service, create an SPN in the form servicename/ip-address at REALM, and then generate a keytab for the SPN which gets configured for JAAS on the service host machine. What I can't seem to do with this approach is to generate keytabs for two service instances in the same realm, e.g. if two different departments each want their own deployment of my service. With the keytab tools included in both Microsfot AD and Apple Open Directory (MIT), just generating an additional keytab for a different SPN (but the same directory service account) breaks the authentication of the first one. In step-by-step terms: - my service is called "fooservice", I create and AD or OD account called "fooservice" - I add an SPN for fooservice using this name plus the IP address and realm, e.g. "fooservice/ip-addr-1 at REALM" - I generate a keytab for this SPN and add it to fooservice running on ip-addr-1; everything is working, clients can authenticate - I add another SPN for fooservice because I want to run another fooservice on a different machine, "fooservice/ip-addr-2 at REALM" - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1 stops working (can no longer establish its own credentials based on keytab, & therefore can't accept client contexts). It seems to be actually generating the keytab file - not just adding an additional SPN - that does this. However I can at this point use the new keytab for the fooservice running on ip-addr-2. So it seems that with both Active Directory's Kerberos and Open Directory's (MIT) Kerberos I cannot have two instances of "fooservice" kerberized on different IP addresses against distinct SPN's associated with the same service account... but there are numerous examples on the web of this being done e.g. with a single "http" account and multiple "http/ip-addr..." SPN's for multiple web servers on your network. Am I right in thinking what I'm trying should be possible, and if so is there some nuance of generating the keytab that I'm not following that causes the first keytab to stop working? Many thanks. - Chris ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From shopik at inblock.ru Wed Jun 3 13:39:27 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Wed, 03 Jun 2009 21:39:27 +0400 Subject: Logging on with cached key Message-ID: Hello. I'm configuring Linux machines using W2003 as KDC, everything works fine for Debian SSH, and Ubuntu for X server with MIT kerberos. But I would like to give user ability to loggon into workstation if his key not yet expired and KDC not available for moment, is that possible? From shopik at inblock.ru Wed Jun 3 12:56:32 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Wed, 03 Jun 2009 20:56:32 +0400 Subject: Logging on with cached key Message-ID: <4A26AB40.5060507@inblock.ru> Hello. I'm configuring Linux machines using W2003 as KDC, everything works fine for Debian SSH, and Ubuntu for X server. But I would like to give user ability to logon into workstation if his key not yet expired and KDC not available for moment, is that possible? From deengert at anl.gov Wed Jun 3 13:58:41 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 03 Jun 2009 12:58:41 -0500 Subject: second keytab for similar service (but different SPN/IP) breaks the first In-Reply-To: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> References: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> Message-ID: <4A26B9D1.2070202@anl.gov> Chris wrote: > This is perhaps a little higher-level problem than Kerberos proper but > I wanted to at least see if I was taking the correct approach as far > as Kerberos is concerned. > > I have a service - it's a kerberized java webservice with a very > specific function, and it does GSSAPI validation of client login > requests, where the clients have obtained tickets to my service. It's > working fine with either Microsoft AD or Apple Open Directory (MIT > Kerberos) - basically I create an account for the service, create an > SPN in the form servicename/ip-address at REALM, and then generate a > keytab for the SPN which gets configured for JAAS on the service host > machine. ip-address? or hostname? Kerberos normally uses hostnames. > > What I can't seem to do with this approach is to generate keytabs for > two service instances in the same realm, e.g. if two different > departments each want their own deployment of my service. With the > keytab tools included in both Microsfot AD and Apple Open Directory > (MIT), just generating an additional keytab for a different SPN (but > the same directory service account) breaks the authentication of the > first one. Use two different directory service accounts, one for each instance. Follow some pattern for the account name like foo-host. There is only one password on the account and it is used to generate the key for all SPNs on the account. > > In step-by-step terms: > - my service is called "fooservice", I create and AD or OD account > called "fooservice" > - I add an SPN for fooservice using this name plus the IP address and > realm, e.g. "fooservice/ip-addr-1 at REALM" > - I generate a keytab for this SPN and add it to fooservice running on > ip-addr-1; everything is working, clients can authenticate > - I add another SPN for fooservice because I want to run another > fooservice on a different machine, "fooservice/ip-addr-2 at REALM" > - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1 > stops working (can no longer establish its own credentials based on > keytab, & therefore can't accept client contexts). It seems to be > actually generating the keytab file - not just adding an additional > SPN - that does this. However I can at this point use the new keytab > for the fooservice running on ip-addr-2. > > So it seems that with both Active Directory's Kerberos and Open > Directory's (MIT) Kerberos I cannot have two instances of "fooservice" > kerberized on different IP addresses against distinct SPN's associated > with the same service account... but there are numerous examples on > the web of this being done e.g. with a single "http" account and > multiple "http/ip-addr..." SPN's for multiple web servers on your > network. > > Am I right in thinking what I'm trying should be possible, and if so > is there some nuance of generating the keytab that I'm not following > that causes the first keytab to stop working? > > Many thanks. > - Chris > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ravi.channavajhala at dciera.com Thu Jun 4 03:10:27 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Thu, 4 Jun 2009 12:40:27 +0530 Subject: Logging on with cached key In-Reply-To: <4A276C35.5080900@inblock.ru> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> Message-ID: <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> On Thu, Jun 4, 2009 at 12:09 PM, Nikolay Shopik wrote: > On 04.06.2009 0:47, Ravi Channavajhala wrote: >> >> On Wed, Jun 3, 2009 at 11:09 PM, Nikolay Shopik ?wrote: >>> >>> Hello. >>> >>> I'm configuring Linux machines using W2003 as KDC, everything works fine >>> for Debian SSH, and Ubuntu for X server with MIT kerberos. >>> >>> But I would like to give user ability to loggon into workstation if his >>> key not yet expired and KDC not available for moment, is that possible? >> >> This is the reason why you have to maintain a backup KDC. ?If you have >> a single point of failure and that's that. ?How valid a valid key is >> really valid if KDC is not there to validate :-) >> >> Even if KDC is running and you have a valid key, ?kerberos session >> tickets are not persistent across the logins. > > That's good point, I though about that just after I post this message! So > another question can I use MIT kerberos as backup with W2003 KDC? Also how > to deal with offline clients like notebooks, when they don't have connection > at all? > Wouldn't it be nice if you can really make another server (Linux or Unix) as a backup KDC? But in reality, this may or may not work (I haven't tried this personally) but Microsoft Kerberos implementation is different from stock MIT. Kerberos in Windows 2000 inserts the SIDS in the TGT necessairly, although an optional field and the encrypted TGT is stored in a user credential cache. There are certainly interoperability issues you may run into. The point to remember is Windows Kerberos implementation varies from MIT, for that matter even on Solaris. From shopik at inblock.ru Thu Jun 4 02:39:49 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Thu, 04 Jun 2009 10:39:49 +0400 Subject: Logging on with cached key In-Reply-To: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> Message-ID: <4A276C35.5080900@inblock.ru> On 04.06.2009 0:47, Ravi Channavajhala wrote: > On Wed, Jun 3, 2009 at 11:09 PM, Nikolay Shopik wrote: >> Hello. >> >> I'm configuring Linux machines using W2003 as KDC, everything works fine >> for Debian SSH, and Ubuntu for X server with MIT kerberos. >> >> But I would like to give user ability to loggon into workstation if his >> key not yet expired and KDC not available for moment, is that possible? > > This is the reason why you have to maintain a backup KDC. If you have > a single point of failure and that's that. How valid a valid key is > really valid if KDC is not there to validate :-) > > Even if KDC is running and you have a valid key, kerberos session > tickets are not persistent across the logins. That's good point, I though about that just after I post this message! So another question can I use MIT kerberos as backup with W2003 KDC? Also how to deal with offline clients like notebooks, when they don't have connection at all? From shopik at inblock.ru Thu Jun 4 03:15:13 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Thu, 04 Jun 2009 11:15:13 +0400 Subject: Logging on with cached key In-Reply-To: <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> Message-ID: <4A277481.60506@inblock.ru> On 04.06.2009 11:10, Ravi Channavajhala wrote: > Wouldn't it be nice if you can really make another server (Linux or > Unix) as a backup KDC? But in reality, this may or may not work (I > haven't tried this personally) but Microsoft Kerberos implementation > is different from stock MIT. Kerberos in Windows 2000 inserts the > SIDS in the TGT necessairly, although an optional field and the > encrypted TGT is stored in a user credential cache. There are > certainly interoperability issues you may run into. The point to > remember is Windows Kerberos implementation varies from MIT, for that > matter even on Solaris. Now I understand that, probably I should go with cross-realm trust, by making another KDC and configure trust with current W2003 KDC. This is much easier way than figure out how to make different kerberos implementation works altogether. Any toughs how should offline clients handled? What best practices about that? From misa416 at gmail.com Thu Jun 4 09:10:55 2009 From: misa416 at gmail.com (misa416@gmail.com) Date: Thu, 4 Jun 2009 06:10:55 -0700 (PDT) Subject: second keytab for similar service (but different SPN/IP) breaks the first References: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com> Message-ID: <401128fc-934d-4cdd-b3e5-00c1ea0c6a87@b1g2000vbc.googlegroups.com> On Jun 3, 1:58?pm, "Douglas E. Engert" wrote: > Chris wrote: > > This is perhaps a little higher-level problem than Kerberos proper but > > I wanted to at least see if I was taking the correct approach as far > > as Kerberos is concerned. > > > I have a service - it's a kerberized java webservice with a very > > specific function, and it does GSSAPI validation of client login > > requests, where the clients have obtained tickets to my service. ?It's > > working fine with either Microsoft AD or Apple Open Directory (MIT > > Kerberos) - basically I create an account for the service, create an > > SPN in the form servicename/ip-address at REALM, and then generate a > > keytab for the SPN which gets configured for JAAS on the service host > > machine. > > ip-address? or hostname? Kerberos normally uses hostnames. > > > > > What I can't seem to do with this approach is to generate keytabs for > > two service instances in the same realm, e.g. if two different > > departments each want their own deployment of my service. ?With the > > keytab tools included in both Microsfot AD and Apple Open Directory > > (MIT), just generating an additional keytab for a different SPN (but > > the same directory service account) breaks the authentication of the > > first one. > > Use two different directory service accounts, one for each instance. > Follow some pattern for the account name like foo-host. > > There is only one password on the account and it is used to generate > the key for all SPNs on the account. > > > > > > > > > In step-by-step terms: > > - my service is called "fooservice", I create and AD or OD account > > called "fooservice" > > - I add an SPN for fooservice using this name plus the IP address and > > realm, e.g. "fooservice/ip-addr-1 at REALM" > > - I generate a keytab for this SPN and add it to fooservice running on > > ip-addr-1; everything is working, clients can authenticate > > - I add another SPN for fooservice because I want to run another > > fooservice on a different machine, "fooservice/ip-addr-2 at REALM" > > - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1 > > stops working (can no longer establish its own credentials based on > > keytab, & therefore can't accept client contexts). It seems to be > > actually generating the keytab file - not just adding an additional > > SPN - that does this. However I can at this point use the new keytab > > for the fooservice running on ip-addr-2. > > > So it seems that with both Active Directory's Kerberos and Open > > Directory's (MIT) Kerberos I cannot have two instances of "fooservice" > > kerberized on different IP addresses against distinct SPN's associated > > with the same service account... but there are numerous examples on > > the web of this being done e.g. with a single "http" account and > > multiple "http/ip-addr..." SPN's for multiple web servers on your > > network. > > > Am I right in thinking what I'm trying should be possible, and if so > > is there some nuance of generating the keytab that I'm not following > > that causes the first keytab to stop working? > > > Many thanks. > > - Chris > > ________________________________________________ > > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > ? Douglas E. Engert ? > ? Argonne National Laboratory > ? 9700 South Cass Avenue > ? Argonne, Illinois ?60439 > ? (630) 252-5444- Hide quoted text - > > - Show quoted text - Chris you can associate multiple SPNs with a single service account. Try merging your keytabs: ktpass -princ fooservice/ip-addr-1 at REALM -pass p at ssw0rd -mapuser fooservice -out krb1.keytab ktpass -princ fooservice/ip-addr-2 at REALM -pass p at ssw0rd -mapuser fooservice -in krb1.keytab -out krb2.keytab Hope this helps. From mikef at berkeley.edu Thu Jun 4 12:56:41 2009 From: mikef at berkeley.edu (Mike Friedman) Date: Thu, 4 Jun 2009 09:56:41 -0700 (PDT) Subject: KDC logging question Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In the scheme of things Kerberos-related, this is not a large issue. But after many, many years of running a KDC realm, I have to change the directory to which KDC logging takes place on the master KDC. I'm using 'FILE:', not 'SYSLOG:' logging, for historical reasons. I changed the [logging] specifications in both kdc.conf and krb5.conf on the KDC, but this is not having any effect. Even after shutting down and then restarting both krb5kdc and kadmind, logging continues to go to the original directory. Is there another place where the logging configuration is somehow being cached? Since I haven't had any reason (until now) to change my logging location in about 14 years, it's quite possible I'm forgetting something. This is krb5-1.4.2, but I've been using the same logging config values since 1995. Now, however, because of partition space issues on the master KDC, I need to log to a different directory. Any suggestions? Thanks. Mike _________________________________________________________________________ Mike Friedman Information Services & Technology mikef at berkeley.edu 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkon/MkACgkQFgKSfLOvZ1To9QCdFLNO5dHGTNWLP8ywZAnsGRWk iR8An0fZmTuosjGzkgodBDDR9Zd6Bukt =kBOT -----END PGP SIGNATURE----- From Tim.Alsop at CyberSafe.com Thu Jun 4 15:00:49 2009 From: Tim.Alsop at CyberSafe.com (Tim Alsop) Date: Thu, 4 Jun 2009 20:00:49 +0100 Subject: cross domain Integrated Windows Auth (aka SPNEGO) Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDE8D@exchange.cybersafe.local> Hi, One of our customers has a problem with Integrated Windows Authentication in IE browser. They have two AD domains which are part of different forests, so external trust is used. The workstation is joined to domain1 and user logs onto this domain, then opens browser to access web server which is on a server joined to domain2. This is not working, but if workstation on domain2 is used the logon works fine. >From wireshark trace on workstation we can see a TGS-REQ being sent to domain1 for the HTTP/@ and of course this principal is not found in domain1 so principal not found is returned - the browser then uses NTLM and attempts to authenticate, but the web server we are using does not support NTLM. Is there any way we can configure workstation so that it knows which domain the webserver is in ? We found a section in registry which looks like it might be the correct place to configure this, but it didn't help :( Thanks in advance for your help, Tim From jeremyh at optimation.com.au Thu Jun 4 20:48:09 2009 From: jeremyh at optimation.com.au (Jeremy Hunt) Date: Fri, 05 Jun 2009 10:48:09 +1000 Subject: KDC logging question In-Reply-To: <23341223.1244135192119.JavaMail.root@safetgram> References: <23341223.1244135192119.JavaMail.root@safetgram> Message-ID: <3497918.1244162875156.JavaMail.root@safetgram> Hi Mike, This is not a kerberos answer but a suggestion for a quick fix until you do solve it. Make the log file a link to a file on another partition. This means you will not have to lie awake at nights worrying about disk space on the root partition. Regards, Jeremy Mike Friedman wrote: > [safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.] > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In the scheme of things Kerberos-related, this is not a large issue. But > after many, many years of running a KDC realm, I have to change the > directory to which KDC logging takes place on the master KDC. > > I'm using 'FILE:', not 'SYSLOG:' logging, for historical reasons. I > changed the [logging] specifications in both kdc.conf and krb5.conf on the > KDC, but this is not having any effect. Even after shutting down and then > restarting both krb5kdc and kadmind, logging continues to go to the > original directory. Is there another place where the logging > configuration is somehow being cached? Since I haven't had any reason > (until now) to change my logging location in about 14 years, it's quite > possible I'm forgetting something. > > This is krb5-1.4.2, but I've been using the same logging config values > since 1995. Now, however, because of partition space issues on the master > KDC, I need to log to a different directory. > > Any suggestions? > > Thanks. > > Mike > > _________________________________________________________________________ > Mike Friedman Information Services & Technology > mikef at berkeley.edu 2484 Shattuck Avenue > 1-510-642-1410 University of California at Berkeley > http://mikef.berkeley.edu http://ist.berkeley.edu > _________________________________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iEYEARECAAYFAkon/MkACgkQFgKSfLOvZ1To9QCdFLNO5dHGTNWLP8ywZAnsGRWk > iR8An0fZmTuosjGzkgodBDDR9Zd6Bukt > =kBOT > -----END PGP SIGNATURE----- > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- "I'm a guy who doesn't see anything good having come from the internet. Period," Sony Pictures Entertainment chief executive officer Michael Lynton. From shopik at inblock.ru Fri Jun 5 01:03:50 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 05 Jun 2009 09:03:50 +0400 Subject: Logging on with cached ticket In-Reply-To: <4A277481.60506@inblock.ru> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> Message-ID: <4A28A736.8050500@inblock.ru> On 04.06.2009 11:15, Nikolay Shopik wrote: > On 04.06.2009 11:10, Ravi Channavajhala wrote: >> Wouldn't it be nice if you can really make another server (Linux or >> Unix) as a backup KDC? But in reality, this may or may not work (I >> haven't tried this personally) but Microsoft Kerberos implementation >> is different from stock MIT. Kerberos in Windows 2000 inserts the >> SIDS in the TGT necessairly, although an optional field and the >> encrypted TGT is stored in a user credential cache. There are >> certainly interoperability issues you may run into. The point to >> remember is Windows Kerberos implementation varies from MIT, for that >> matter even on Solaris. > > Now I understand that, probably I should go with cross-realm trust, by > making another KDC and configure trust with current W2003 KDC. This is > much easier way than figure out how to make different kerberos > implementation works altogether. > > Any toughs how should offline clients handled? What best practices about > that? Only thing I found is pam_krb5 which have existing_ticket option. (tells pam_krb5.so to accept the presence of pre-existing Kerberos credentials provided by the calling application in the default credential cache as sufficient to authenticate the user, and to skip any account management checks). While this available only in Red Hat from what I see but not in Debian/Ubuntu. Me wonder how Windows implementation is done, when it allowed login even when KDC is not available. I doubt if it use existing ticked, because it expired just in 24 hours and you can still login. From ssorce at redhat.com Fri Jun 5 09:15:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 09:15:33 -0400 Subject: Logging on with cached ticket In-Reply-To: <4A28A736.8050500@inblock.ru> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> Message-ID: <1244207733.3623.108.camel@localhost.localdomain> On Fri, 2009-06-05 at 09:03 +0400, Nikolay Shopik wrote: > On 04.06.2009 11:15, Nikolay Shopik wrote: > > On 04.06.2009 11:10, Ravi Channavajhala wrote: > >> Wouldn't it be nice if you can really make another server (Linux or > >> Unix) as a backup KDC? But in reality, this may or may not work (I > >> haven't tried this personally) but Microsoft Kerberos implementation > >> is different from stock MIT. Kerberos in Windows 2000 inserts the > >> SIDS in the TGT necessairly, although an optional field and the > >> encrypted TGT is stored in a user credential cache. There are > >> certainly interoperability issues you may run into. The point to > >> remember is Windows Kerberos implementation varies from MIT, for that > >> matter even on Solaris. > > > > Now I understand that, probably I should go with cross-realm trust, by > > making another KDC and configure trust with current W2003 KDC. This is > > much easier way than figure out how to make different kerberos > > implementation works altogether. > > > > Any toughs how should offline clients handled? What best practices about > > that? > > Only thing I found is pam_krb5 which have existing_ticket option. (tells > pam_krb5.so to accept the presence of pre-existing Kerberos credentials > provided by the calling application in the default credential cache as > sufficient to authenticate the user, and to skip any account management > checks). While this available only in Red Hat from what I see but not in > Debian/Ubuntu. > > Me wonder how Windows implementation is done, when it allowed login even > when KDC is not available. I doubt if it use existing ticked, because it > expired just in 24 hours and you can still login. Windows caches the NT hash of your password. That's how you get access w/o the KDC. Nothing to do with kerberos credentials at all. Also IIRC: in most cases you will not notice because, if krb credentials are not available, but NTLM auth is not forbidden, your client will connect to servers using NTLM auth. Then, the first time you have to unlock your screen or enter a password for other legitimate purposes and the KDC is available, a new TGT is requested. Simo. -- Simo Sorce * Red Hat, Inc * New York From shopik at inblock.ru Fri Jun 5 09:22:09 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 05 Jun 2009 17:22:09 +0400 Subject: Logging on with cached ticket In-Reply-To: <1244207733.3623.108.camel@localhost.localdomain> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> <1244207733.3623.108.camel@localhost.localdomain> Message-ID: <4A291C01.1060003@inblock.ru> On 05.06.2009 17:15, Simo Sorce wrote: > Windows caches the NT hash of your password. > That's how you get access w/o the KDC. Nothing to do with kerberos > credentials at all. That's what I though for moment. Can such thing (caching MD5/whatever hash locally for some period) accomplished on Linux? By default locking screen doesn't not produce request for new TGT, I mean if workstation is locked. But can be changed via group policy. From ssorce at redhat.com Fri Jun 5 09:30:48 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 09:30:48 -0400 Subject: Logging on with cached ticket In-Reply-To: <4A291C01.1060003@inblock.ru> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> <1244207733.3623.108.camel@localhost.localdomain> <4A291C01.1060003@inblock.ru> Message-ID: <1244208648.3623.112.camel@localhost.localdomain> On Fri, 2009-06-05 at 17:22 +0400, Nikolay Shopik wrote: > On 05.06.2009 17:15, Simo Sorce wrote: > > Windows caches the NT hash of your password. > > That's how you get access w/o the KDC. Nothing to do with kerberos > > credentials at all. > > That's what I though for moment. Can such thing (caching MD5/whatever > hash locally for some period) accomplished on Linux? > > By default locking screen doesn't not produce request for new TGT, I > mean if workstation is locked. But can be changed via group policy. There a re a few projects that do password caching on Linux depending on what is your environment. The classic one I think pam_ccache, but if your KDC is a Windows AD server you can use winbindd which support offline logins (and caches users information too so it works also when LDAP is not available), then there is also a project called SSSD I am working on that aims at doing the same but for arbitrary authentication and identity sources, although it is still very young, and needs some maturing. I think we may be going a bit too OT for this list. Simo. -- Simo Sorce * Red Hat, Inc * New York From shopik at inblock.ru Fri Jun 5 09:44:59 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 05 Jun 2009 17:44:59 +0400 Subject: Logging on with cached ticket In-Reply-To: <1244208648.3623.112.camel@localhost.localdomain> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> <1244207733.3623.108.camel@localhost.localdomain> <4A291C01.1060003@inblock.ru> <1244208648.3623.112.camel@localhost.localdomain> Message-ID: <4A29215B.7000300@inblock.ru> On 05.06.2009 17:30, Simo Sorce wrote: > On Fri, 2009-06-05 at 17:22 +0400, Nikolay Shopik wrote: >> On 05.06.2009 17:15, Simo Sorce wrote: >>> Windows caches the NT hash of your password. >>> That's how you get access w/o the KDC. Nothing to do with kerberos >>> credentials at all. >> >> That's what I though for moment. Can such thing (caching MD5/whatever >> hash locally for some period) accomplished on Linux? >> >> By default locking screen doesn't not produce request for new TGT, I >> mean if workstation is locked. But can be changed via group policy. > > There a re a few projects that do password caching on Linux depending on > what is your environment. The classic one I think pam_ccache, but if > your KDC is a Windows AD server you can use winbindd which support > offline logins (and caches users information too so it works also when > LDAP is not available), then there is also a > project called SSSD I am working on that aims > at doing the same but for arbitrary authentication and identity sources, > although it is still very young, and needs some maturing. > > I think we may be going a bit too OT for this list. > Simo. > To make archive complete, you should look for pam_ccreds which is packaged as libpam-ccreds it does thing. Thanks Simo for tip. From rra at stanford.edu Fri Jun 5 10:36:34 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 05 Jun 2009 07:36:34 -0700 Subject: Logging on with cached ticket In-Reply-To: <4A28A736.8050500@inblock.ru> (Nikolay Shopik's message of "Fri\, 05 Jun 2009 09\:03\:50 +0400") References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> Message-ID: <87skie21e5.fsf@windlord.stanford.edu> Nikolay Shopik writes: > Only thing I found is pam_krb5 which have existing_ticket > option. (tells pam_krb5.so to accept the presence of pre-existing > Kerberos credentials provided by the calling application in the > default credential cache as sufficient to authenticate the user, and > to skip any account management checks). While this available only in > Red Hat from what I see but not in Debian/Ubuntu. I could add it easily enough. I just never understood the use case. Could you explain more about how you end up in this situation? Where is the ticket coming from that's being used for authentication? -- Russ Allbery (rra at stanford.edu) From shopik at inblock.ru Fri Jun 5 10:56:45 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 05 Jun 2009 18:56:45 +0400 Subject: Logging on with cached ticket In-Reply-To: <87skie21e5.fsf@windlord.stanford.edu> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> <87skie21e5.fsf@windlord.stanford.edu> Message-ID: <4A29322D.6030707@inblock.ru> On 05.06.2009 18:36, Russ Allbery wrote: > Nikolay Shopik writes: > >> Only thing I found is pam_krb5 which have existing_ticket >> option. (tells pam_krb5.so to accept the presence of pre-existing >> Kerberos credentials provided by the calling application in the >> default credential cache as sufficient to authenticate the user, and >> to skip any account management checks). While this available only in >> Red Hat from what I see but not in Debian/Ubuntu. > > I could add it easily enough. I just never understood the use case. > Could you explain more about how you end up in this situation? Where is > the ticket coming from that's being used for authentication? > Option "existing_ticket" not available on Debian libpam-krb5 package. I'm sorry which situation exactly? Well ticket is coming from KDC when it was available and can be used until it expired, from my understanding. From rra at stanford.edu Fri Jun 5 11:29:59 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 05 Jun 2009 08:29:59 -0700 Subject: Logging on with cached ticket In-Reply-To: <4A29322D.6030707@inblock.ru> (Nikolay Shopik's message of "Fri\, 05 Jun 2009 18\:56\:45 +0400") References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> <87skie21e5.fsf@windlord.stanford.edu> <4A29322D.6030707@inblock.ru> Message-ID: <87oct266mg.fsf@windlord.stanford.edu> Nikolay Shopik writes: > On 05.06.2009 18:36, Russ Allbery wrote: >> Nikolay Shopik writes: >>> Only thing I found is pam_krb5 which have existing_ticket >>> option. (tells pam_krb5.so to accept the presence of pre-existing >>> Kerberos credentials provided by the calling application in the >>> default credential cache as sufficient to authenticate the user, and >>> to skip any account management checks). While this available only in >>> Red Hat from what I see but not in Debian/Ubuntu. >> I could add it easily enough. I just never understood the use case. >> Could you explain more about how you end up in this situation? Where >> is the ticket coming from that's being used for authentication? > Option "existing_ticket" not available on Debian libpam-krb5 > package. I'm sorry which situation exactly? Why would you ever want that option? What's the point of it? > Well ticket is coming from KDC when it was available and can be used > until it expired, from my understanding. Sure, but how come you're running through a PAM stack that cares about your existing ticket when you still have a ticket available? There's probably some obvious case where this happens; I just don't know what it is. -- Russ Allbery (rra at stanford.edu) From shopik at inblock.ru Fri Jun 5 11:34:28 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Fri, 05 Jun 2009 19:34:28 +0400 Subject: Logging on with cached ticket In-Reply-To: <87oct266mg.fsf@windlord.stanford.edu> References: <73739dc10906031347v6c97d34an4b2a20ab67f1ee2c@mail.gmail.com> <4A276C35.5080900@inblock.ru> <73739dc10906040010ld8a1d69l1d3c99a6c86eaaaf@mail.gmail.com> <4A277481.60506@inblock.ru> <4A28A736.8050500@inblock.ru> <87skie21e5.fsf@windlord.stanford.edu> <4A29322D.6030707@inblock.ru> <87oct266mg.fsf@windlord.stanford.edu> Message-ID: <4A293B04.8070908@inblock.ru> On 05.06.2009 19:29, Russ Allbery wrote: > Nikolay Shopik writes: >> On 05.06.2009 18:36, Russ Allbery wrote: >>> Nikolay Shopik writes: > >>>> Only thing I found is pam_krb5 which have existing_ticket >>>> option. (tells pam_krb5.so to accept the presence of pre-existing >>>> Kerberos credentials provided by the calling application in the >>>> default credential cache as sufficient to authenticate the user, and >>>> to skip any account management checks). While this available only in >>>> Red Hat from what I see but not in Debian/Ubuntu. > >>> I could add it easily enough. I just never understood the use case. >>> Could you explain more about how you end up in this situation? Where >>> is the ticket coming from that's being used for authentication? > >> Option "existing_ticket" not available on Debian libpam-krb5 >> package. I'm sorry which situation exactly? > > Why would you ever want that option? What's the point of it? No point for me now. I was searching for way to use cached tickets. >> Well ticket is coming from KDC when it was available and can be used >> until it expired, from my understanding. > > Sure, but how come you're running through a PAM stack that cares about > your existing ticket when you still have a ticket available? There's > probably some obvious case where this happens; I just don't know what it > is. pam_ccreds is do thingy for me, cache KDC credentials so user can logon into machine even when KDC not available. From bjorn.sund at it.uib.no Sat Jun 6 06:53:57 2009 From: bjorn.sund at it.uib.no (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=) Date: Sat, 06 Jun 2009 12:53:57 +0200 Subject: krb5_aname_to_localname() issue In-Reply-To: <4A269123.7030204@inria.fr> References: <4A269123.7030204@inria.fr> Message-ID: <4A2A4AC5.9010504@it.uib.no> Guillaume Rousse wrote: > Hello list. > > We use apache-mod_auth_kerb 5.4, with > KrbLocalUserMapping directive, allowing to map foo at REALM user string to > foo, through krb5_aname_to_localname() function. > > However, while it works perfectly with principal from the local domains, > it doesn't with principal from other domains, for which a trust > relationship is established: > krb5_aname_to_localname() found no mapping for principal > garet at LILLE.FUTURS.INRIA.FR > > According to krb5_aname_to_localname man page, this is quite normal: > This function takes a principal name, verifies that it is in the local > realm (using krb5_get_default_realms()) > > The man page for krb5_get_default_realms() seems to imply there could be > several default realms, but I didn't found any way to configure it in > krb5.conf (default_realm only takes one). > > So, how can I also map principals from other trusted realms ? Here is the setting I use in /etc/krb5.conf on machines in the UNIX.UIB.NO realm to ensure that mapping works from all *.UIB.NO realms (including UIB.NO): [realms] UNIX.UIB.NO = { auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*// } Rather cryptic, I know, but it is well documented and using google it should be fairly easy to find other examples of how to use it. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From miguel.sanders at arcelormittal.com Sat Jun 6 08:41:46 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Sat, 6 Jun 2009 14:41:46 +0200 Subject: krb5_aname_to_localname() issue In-Reply-To: <4A2A4AC5.9010504@it.uib.no> References: <4A269123.7030204@inria.fr> <4A2A4AC5.9010504@it.uib.no> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206C11274@GEN-MXB-V04.msad.arcelor.net> Very cryptic indeed, especially when you want to play around with all instance components. It was more like trial and error for me tbh. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Bj?rn Tore Sund Verzonden: zaterdag 6 juni 2009 12:54 Aan: Guillaume Rousse CC: kerberos at mit.edu Onderwerp: Re: krb5_aname_to_localname() issue Guillaume Rousse wrote: > Hello list. > > We use apache-mod_auth_kerb 5.4, with > KrbLocalUserMapping directive, allowing to map foo at REALM user string > to foo, through krb5_aname_to_localname() function. > > However, while it works perfectly with principal from the local > domains, it doesn't with principal from other domains, for which a > trust relationship is established: > krb5_aname_to_localname() found no mapping for principal > garet at LILLE.FUTURS.INRIA.FR > > According to krb5_aname_to_localname man page, this is quite normal: > This function takes a principal name, verifies that it is in the local > realm (using krb5_get_default_realms()) > > The man page for krb5_get_default_realms() seems to imply there could > be several default realms, but I didn't found any way to configure it > in krb5.conf (default_realm only takes one). > > So, how can I also map principals from other trusted realms ? Here is the setting I use in /etc/krb5.conf on machines in the UNIX.UIB.NO realm to ensure that mapping works from all *.UIB.NO realms (including UIB.NO): [realms] UNIX.UIB.NO = { auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*// } Rather cryptic, I know, but it is well documented and using google it should be fairly easy to find other examples of how to use it. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From sd at msu.edu Sun Jun 7 07:48:19 2009 From: sd at msu.edu (Steve Devine) Date: Sun, 07 Jun 2009 07:48:19 -0400 Subject: kdc listening on too many interfaces Message-ID: <20090607074819.96022n1kccd3nz7n@mail.msu.edu> Running Kerberos 5 release 1.6.3 on a new server - we have a backnet interface for Backups. When I start the kdc I see this in the logs: Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): setting up network... Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized local address family 17 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized local address family 17 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 8: udp MainIPAddress.88 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 9: udp MainIPAddress.750 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 10: udp BackNetIPAddress.88 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 11: udp BackNetIPAddress.750 Everything works fine and in theory I see no harm but still it seems wrong. It seems like I ought to be able to disable listening on the backnet interface. Is this so or no? Lots of Googling have so far revealed nothing. /sd Steve Devine Email & Storage Academic Technology Services Michigan State University From bjorn.sund at it.uib.no Sun Jun 7 10:54:33 2009 From: bjorn.sund at it.uib.no (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=) Date: Sun, 07 Jun 2009 16:54:33 +0200 Subject: kdc listening on too many interfaces In-Reply-To: <20090607074819.96022n1kccd3nz7n@mail.msu.edu> References: <20090607074819.96022n1kccd3nz7n@mail.msu.edu> Message-ID: <4A2BD4A9.8080208@it.uib.no> Steve Devine wrote: > Running Kerberos 5 release 1.6.3 on a new server - we have a backnet > interface for Backups. When I start the kdc I see this in the logs: > > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): setting up network... > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized > local address family 17 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized > local address family 17 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 8: udp > MainIPAddress.88 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 9: udp > MainIPAddress.750 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 10: udp > BackNetIPAddress.88 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 11: udp > BackNetIPAddress.750 > > Everything works fine and in theory I see no harm but still it seems wrong. > It seems like I ought to be able to disable listening on the backnet > interface. > Is this so or no? > Lots of Googling have so far revealed nothing. You need the man page. But briefly, in the [kdcdefaults] section of kdc.conf, set kdc_ports to the port number(s) you want to listen to. Note that in order to enable listening to tcp connections, you need to specifically set kdc_tcp_ports to 88. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From raeburn at MIT.EDU Sun Jun 7 15:41:02 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Sun, 7 Jun 2009 15:41:02 -0400 Subject: kdc listening on too many interfaces In-Reply-To: <20090607074819.96022n1kccd3nz7n@mail.msu.edu> References: <20090607074819.96022n1kccd3nz7n@mail.msu.edu> Message-ID: <70769368-F2A8-4130-8814-10D9854FDF80@mit.edu> On Jun 7, 2009, at 07:48, Steve Devine wrote: > Everything works fine and in theory I see no harm but still it seems > wrong. > It seems like I ought to be able to disable listening on the backnet > interface. > Is this so or no? At present there is no way to control which IP addresses the KDC process listens on. (The message from Bj?rn Tore Sun outlines how to select the port numbers and whether the KDC listens for TCP connections, but not a change in IP addresses.) It's assumed for now that all IP addresses may be advertised in DNS as belonging to the KDC (yes, we know it's not necessarily true), so we should listen just in case. The ability to listen on just some addresses has been requested, but so far hasn't made it far up the priority list, since it's generally harmless as you say, unless there's some reason you need the KDC to *not* listen on certain IP addresses. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From sd at msu.edu Sun Jun 7 17:16:26 2009 From: sd at msu.edu (Steve Devine) Date: Sun, 07 Jun 2009 17:16:26 -0400 Subject: kdc listening on too many interfaces In-Reply-To: <70769368-F2A8-4130-8814-10D9854FDF80@mit.edu> References: <20090607074819.96022n1kccd3nz7n@mail.msu.edu> <70769368-F2A8-4130-8814-10D9854FDF80@mit.edu> Message-ID: <20090607171626.15552g4y3xsc7ne2@mail.msu.edu> Quoting "Ken Raeburn" : > On Jun 7, 2009, at 07:48, Steve Devine wrote: >> Everything works fine and in theory I see no harm but still it seems wrong. >> It seems like I ought to be able to disable listening on the backnet >> interface. >> Is this so or no? > > At present there is no way to control which IP addresses the KDC > process listens on. (The message from Bj?rn Tore Sun outlines how > to select the port numbers and whether the KDC listens for TCP > connections, but not a change in IP addresses.) It's assumed for > now that all IP addresses may be advertised in DNS as belonging to > the KDC (yes, we know it's not necessarily true), so we should > listen just in case. The ability to listen on just some addresses > has been requested, but so far hasn't made it far up the priority > list, since it's generally harmless as you say, unless there's some > reason you need the KDC to *not* listen on certain IP addresses. > > -- > Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium > > > OK thanks Ken. Good to know I'm not missing something, many attempts at this in kdc.conf were getting me nowhere. /sd Steve Devine Email & Storage Academic Technology Services Michigan State University From megacz at cs.berkeley.edu Sun Jun 7 22:33:29 2009 From: megacz at cs.berkeley.edu (Adam Megacz) Date: Sun, 07 Jun 2009 19:33:29 -0700 Subject: krb5-1.7 is released In-Reply-To: (Tom Yu's message of "Tue, 02 Jun 2009 11:24:59 -0400") References: Message-ID: Tom Yu writes: > The MIT Kerberos Team announces the availability of MIT Kerberos 5 > Release 1.7. Hi, Tom. Congratulations on the release! I noticed that this patch (or equivalent functionality) was not included: http://www.mail-archive.com/kerberos at mit.edu/msg13929.html Are there any plans to include it or something like it in some future release of krb5? Thanks, - a From vilas.tadoori.ext at siemens.com Mon Jun 8 15:15:26 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Mon, 8 Jun 2009 15:15:26 -0400 Subject: Questions on webauthentication. Message-ID: <6344D3A1F3677A429F994D643E17F84F145A6FFDF5@USCIMMBX001.net.plm.eds.com> Dear All, We have the following scenario. We have two war files login and identity that we install them on an HTTP server like (tom cat, apache) or an app server like (weblogic and websphere). We are looking for a solution where the user logs in using the login service present on the hosted login.war file and upon login the user should get a TGT from the KDC and is directed to the Identity service hosted on the Identity.war file. The identity service would then decrypt the TGT and then grant the user access. Is it possible to register the login.war and Identity.war files as services in the Kerberos database? Please advice an alternative solution if the above is not possible. Thanks V. From Jurgo.Preden at ttu.ee Mon Jun 8 21:30:22 2009 From: Jurgo.Preden at ttu.ee (Jurgo.Preden@ttu.ee) Date: Tue, 9 Jun 2009 04:30:22 +0300 (EEST) Subject: sserver & sclient Message-ID: <21580947.1244511022088.JavaMail.oracle@ocs.va.ttu.ee> Hello I am trying to use the sserver and sclient that came as part of the MIT Kerberos for Windows 3.2.2 package. Neither of these applications were built with the standard makefiles. After modifying the makefles I was able to build them but I have still some issues with running the applications. I can see from the network packet log that the sclient gets a valid reply to the TGS request but for some reason the sserver rejects the request. I am using the Kerberos server from the domain controller of a Windows 2003 server. I created the keytab file for the sserver usng tools in Windows 2003 resource kit. Does that keytab file work with the MIT apps? Should the sserver and sclient apps work with the 3.2.2 code in the first place ? Since they are not built with the standard makefile configuration I started having doubts. thnks Jurgo Preden From vilas.tadoori.ext at siemens.com Tue Jun 9 02:39:34 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Tue, 9 Jun 2009 02:39:34 -0400 Subject: Questions of webauthentication on kerberos Message-ID: <6344D3A1F3677A429F994D643E17F84F145A77C131@USCIMMBX001.net.plm.eds.com> Dear All, We have the following scenario. We have two war files login and identity that we install them on an HTTP server like (tom cat, apache) or an app server like (weblogic and websphere). We are looking for a solution where the user logs in using the login service present on the hosted login.war file and upon login the user should get a TGT from the KDC and is directed to the Identity service hosted on the Identity.war file. The identity service would then decrypt the TGT and then grant the user access. Is it possible to register the login.war and Identity.war files as services in the Kerberos database? Please advice an alternative solution if the above is not possible. Thanks V. From pgnet.dev+krb at gmail.com Tue Jun 9 19:27:24 2009 From: pgnet.dev+krb at gmail.com (PGNet Dev) Date: Tue, 9 Jun 2009 16:27:24 -0700 Subject: error (?) 'kdb5_util: while reading realm object entry while creating database' when trying to create a db/realm? Message-ID: <94f2e81e0906091627o2e0260fctb8c2228814a2b5f4@mail.gmail.com> i'm setting kerberos + opends/ldap. trying to create my db realm, kdb5_util create -x binddn=cn=kadmin_service,ou=profile,dc=mydomain,dc=net -s returns, Loading random data Initializing database '/usr/local/var/krb5/MYDOMAIN.NET/principal' for realm 'MYDOMAIN.NET', master key name 'K/M at MYDOMAIN.NET' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kdb5_util: while reading realm object entry while creating database '/usr/local/var/krb5/MYDOMAIN.NET/principal' checking, the db hasn't been created, ls /usr/local/var/krb5/MYDOMAIN.NET/principal /bin/ls: cannot access /usr/local/var/krb5/MYDOMAIN.NET/principal: No such file or directory is, "kdb5_util: while reading realm object entry while creating database" an error message? if so, any hints as to what the issue is? @, strace (cmd above) i get (after the 2nd pwd entry ...), ... ) = 1 ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0 ioctl(4, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x7fa8f7e15a90}, NULL, 8) = 0 close(4) = 0 time(NULL) = 1244589639 stat("/var/lib/kerberos/krb5kdc/kdc.conf", {st_mode=S_IFREG|0600, st_size=1568, ...}) = 0 time(NULL) = 1244589639 stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=3561, ...}) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 futex(0x7fa8f998d270, FUTEX_WAKE_PRIVATE, 2147483647) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 stat("/usr/lib64/krb5/plugins/kdb/kldap", 0x7fff01dddbc0) = -1 ENOENT (No such file or directory) stat("/usr/lib64/krb5/plugins/kdb/kldap.so", {st_mode=S_IFREG|0755, st_size=14061, ...}) = 0 futex(0x7fa8f933b0ec, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("/usr/lib64/krb5/plugins/kdb/kldap.so", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\16\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=14061, ...}) = 0 mmap(NULL, 2105720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f78ab000 fadvise64(4, 0, 2105720, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f78ac000, 2097152, PROT_NONE) = 0 mmap(0x7fa8f7aac000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x1000) = 0x7fa8f7aac000 close(4) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=55992, ...}) = 0 mmap(NULL, 55992, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7fa8f9da9000 close(4) = 0 open("/usr/lib64/libkdb_ldap.so.1", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`>\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=111357, ...}) = 0 mmap(NULL, 2193400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f7693000 fadvise64(4, 0, 2193400, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f76aa000, 2093056, PROT_NONE) = 0 mmap(0x7fa8f78a9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x16000) = 0x7fa8f78a9000 close(4) = 0 open("/usr/lib64/libldap-2.4.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\342\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=278296, ...}) = 0 mmap(NULL, 2373360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f744f000 fadvise64(4, 0, 2373360, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f7490000, 2097152, PROT_NONE) = 0 mmap(0x7fa8f7690000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x41000) = 0x7fa8f7690000 close(4) = 0 open("/usr/lib64/liblber-2.4.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2209\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=64680, ...}) = 0 mmap(NULL, 2159912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f723f000 fadvise64(4, 0, 2159912, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f724e000, 2093056, PROT_NONE) = 0 mmap(0x7fa8f744d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xe000) = 0x7fa8f744d000 close(4) = 0 open("/usr/lib64/libsasl2.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220M\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=110440, ...}) = 0 mmap(NULL, 2205648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f7024000 fadvise64(4, 0, 2205648, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f703d000, 2097152, PROT_NONE) = 0 mmap(0x7fa8f723d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x19000) = 0x7fa8f723d000 close(4) = 0 open("/usr/lib64/libssl.so.0.9.8", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2602\1\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0555, st_size=317856, ...}) = 0 mmap(NULL, 2413040, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f6dd6000 fadvise64(4, 0, 2413040, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f6e1d000, 2093056, PROT_NONE) = 0 mmap(0x7fa8f701c000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x46000) = 0x7fa8f701c000 close(4) = 0 open("/usr/lib64/libcrypto.so.0.9.8", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P{\6\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0555, st_size=1547088, ...}) = 0 mmap(NULL, 3657112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f6a59000 fadvise64(4, 0, 3657112, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f6baf000, 2097152, PROT_NONE) = 0 mmap(0x7fa8f6daf000, 147456, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x156000) = 0x7fa8f6daf000 mmap(0x7fa8f6dd3000, 11672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa8f6dd3000 close(4) = 0 open("/lib64/libz.so.1", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\"\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=88704, ...}) = 0 mmap(NULL, 2183728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f6843000 fadvise64(4, 0, 2183728, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f6858000, 2093056, PROT_NONE) = 0 mmap(0x7fa8f6a57000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x14000) = 0x7fa8f6a57000 close(4) = 0 mprotect(0x7fa8f6a57000, 4096, PROT_READ) = 0 mprotect(0x7fa8f6daf000, 53248, PROT_READ) = 0 mprotect(0x7fa8f701c000, 8192, PROT_READ) = 0 mprotect(0x7fa8f723d000, 4096, PROT_READ) = 0 mprotect(0x7fa8f744d000, 4096, PROT_READ) = 0 mprotect(0x7fa8f7690000, 4096, PROT_READ) = 0 mprotect(0x7fa8f78a9000, 4096, PROT_READ) = 0 mprotect(0x7fa8f7aac000, 4096, PROT_READ) = 0 munmap(0x7fa8f9da9000, 55992) = 0 stat("/usr/lib64/krb5/plugins/kdb/kldap", 0x7fff01dddbc0) = -1 ENOENT (No such file or directory) stat("/usr/lib64/krb5/plugins/kdb/kldap.so", {st_mode=S_IFREG|0755, st_size=14061, ...}) = 0 stat("/usr/lib64/krb5/plugins/kdb/kldap", 0x7fff01dddbc0) = -1 ENOENT (No such file or directory) stat("/usr/lib64/krb5/plugins/kdb/kldap.so", {st_mode=S_IFREG|0755, st_size=14061, ...}) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 access("/usr/local/etc/auth/krb5/opends.keytab", F_OK) = 0 access("/usr/local/etc/auth/krb5/opends.keytab", R_OK) = 0 open("/usr/local/etc/auth/krb5/opends.keytab", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=276, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "cn=kdc_service,ou=profile,dc=myd"..., 4096) = 276 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 uname({sys="Linux", node="auth", ...}) = 0 open("/etc/resolv.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "#search mydomain.net\nnames"..., 4096) = 71 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 uname({sys="Linux", node="auth", ...}) = 0 socket(PF_FILE, 0x80801 /* SOCK_??? */, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 socket(PF_FILE, 0x80801 /* SOCK_??? */, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=1195, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1195 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=55992, ...}) = 0 mmap(NULL, 55992, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7fa8f9da9000 close(4) = 0 open("/lib64/libnss_dns.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \20\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=23112, ...}) = 0 mmap(NULL, 2117896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f663d000 fadvise64(4, 0, 2117896, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f6642000, 2093056, PROT_NONE) = 0 mmap(0x7fa8f6841000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x4000) = 0x7fa8f6841000 close(4) = 0 mprotect(0x7fa8f6841000, 4096, PROT_READ) = 0 munmap(0x7fa8f9da9000, 55992) = 0 open("/etc/host.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=9, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "multi on\n", 4096) = 9 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 futex(0x7fa8f7e04da4, FUTEX_WAKE_PRIVATE, 2147483647) = 0 time([1244589639]) = 1244589639 stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 open("/etc/resolv.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "#search mydomain.net\nnames"..., 4096) = 71 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 uname({sys="Linux", node="auth", ...}) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 202109}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) sendto(4, "\265\310\1\0\0\1\0\0\0\0\0\0\4auth\0\0\1\0\1", 22, MSG_NOSIGNAL, NULL, 0) = 22 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLERR}]) close(4) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 28) = 0 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 203660}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) sendto(4, "\265\310\1\0\0\1\0\0\0\0\0\0\4auth\0\0\1\0\1", 22, MSG_NOSIGNAL, NULL, 0) = 22 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}]) ioctl(4, FIONREAD, [97]) = 0 recvfrom(4, "\265\310\201\203\0\1\0\0\0\1\0\0\4auth\0\0\1\0\1\0\0\6\0\1\0\0\1\306\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 97 close(4) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=55992, ...}) = 0 mmap(NULL, 55992, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7fa8f9da9000 close(4) = 0 open("/lib64/libnss_files.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0` \0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=47784, ...}) = 0 mmap(NULL, 2143528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7fa8f6431000 fadvise64(4, 0, 2143528, POSIX_FADV_WILLNEED) = 0 mprotect(0x7fa8f643c000, 2093056, PROT_NONE) = 0 mmap(0x7fa8f663b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0x7fa8f663b000 close(4) = 0 mprotect(0x7fa8f663b000, 4096, PROT_READ) = 0 munmap(0x7fa8f9da9000, 55992) = 0 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4 fcntl(4, F_GETFD) = 0x1 (flags FD_CLOEXEC) fstat(4, {st_mode=S_IFREG|0644, st_size=130, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "127.0.0.1 localhost\n127.0."..., 4096) = 130 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 open("/etc/openldap/ldap.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=264, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa8f9dca000 read(4, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 264 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7fa8f9dca000, 4096) = 0 getuid() = 0 geteuid() = 0 open("/root/ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory) open("/root/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory) open("ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory) socket(PF_NETLINK, SOCK_RAW, 0) = 4 bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(4, {sa_family=AF_NETLINK, pid=21654, groups=00000000}, [12]) = 0 time(NULL) = 1244589639 sendto(4, "\24\0\0\0\26\0\1\3G\356.J\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0G\356.J\226T\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 352 recvmsg(4, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0G\356.J\226T\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(4) = 0 time([1244589639]) = 1244589639 time([1244589639]) = 1244589639 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 220805}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) sendto(4, "\254\377\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLERR}]) close(4) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 28) = 0 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 222368}, NULL) = 0 poll([{fd=4, events=POLLOUT}], 1, 0) = 1 ([{fd=4, revents=POLLOUT}]) sendto(4, "\254\377\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=4, events=POLLIN}], 1, 5000) = 1 ([{fd=4, revents=POLLIN}]) ioctl(4, FIONREAD, [102]) = 0 recvfrom(4, "\254\377\205\200\0\1\0\1\0\1\0\1\4auth\6server\16mydomai"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 102 close(4) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, 16) = -1 EINPROGRESS (Operation now in progress) poll([{fd=4, events=POLLOUT|POLLERR|POLLHUP}], 1, 10000) = 1 ([{fd=4, revents=POLLOUT}]) getpeername(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, [9292868537599131664]) = 0 fcntl(4, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) fcntl(4, F_SETFL, O_RDWR) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 write(4, "0S\2\1\1`N\2\1\3\0045cn=kadmin_service,ou"..., 85) = 85 poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=4, revents=POLLIN}]) read(4, "0\f\2\1\1a\7\n", 8) = 8 read(4, "\1\0\4\0\4\0", 6) = 6 time(NULL) = 1244589639 socket(PF_NETLINK, SOCK_RAW, 0) = 5 bind(5, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(5, {sa_family=AF_NETLINK, pid=21654, groups=00000000}, [12]) = 0 time(NULL) = 1244589639 sendto(5, "\24\0\0\0\26\0\1\3G\356.J\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0G\356.J\226T\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 352 recvmsg(5, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0G\356.J\226T\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(5) = 0 time([1244589639]) = 1244589639 time([1244589639]) = 1244589639 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 259196}, NULL) = 0 poll([{fd=5, events=POLLOUT}], 1, 0) = 1 ([{fd=5, revents=POLLOUT}]) sendto(5, "\324\265\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=5, events=POLLIN}], 1, 5000) = 1 ([{fd=5, revents=POLLERR}]) close(5) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 28) = 0 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 260730}, NULL) = 0 poll([{fd=5, events=POLLOUT}], 1, 0) = 1 ([{fd=5, revents=POLLOUT}]) sendto(5, "\324\265\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=5, events=POLLIN}], 1, 5000) = 1 ([{fd=5, revents=POLLIN}]) ioctl(5, FIONREAD, [102]) = 0 recvfrom(5, "\324\265\205\200\0\1\0\1\0\1\0\1\4auth\6server\16mydomai"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 102 close(5) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 5 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 setsockopt(5, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(5, SOL_TCP, TCP_NODELAY, [1], 4) = 0 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(5, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, 16) = -1 EINPROGRESS (Operation now in progress) poll([{fd=5, events=POLLOUT|POLLERR|POLLHUP}], 1, 10000) = 1 ([{fd=5, revents=POLLOUT}]) getpeername(5, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, [9292868537599131664]) = 0 fcntl(5, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) fcntl(5, F_SETFL, O_RDWR) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 write(5, "0S\2\1\1`N\2\1\3\0045cn=kadmin_service,ou"..., 85) = 85 poll([{fd=5, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=5, revents=POLLIN}]) read(5, "0\f\2\1\1a\7\n", 8) = 8 read(5, "\1\0\4\0\4\0", 6) = 6 time(NULL) = 1244589639 brk(0x7fa8fa024000) = 0x7fa8fa024000 socket(PF_NETLINK, SOCK_RAW, 0) = 6 bind(6, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(6, {sa_family=AF_NETLINK, pid=21654, groups=00000000}, [12]) = 0 time(NULL) = 1244589639 sendto(6, "\24\0\0\0\26\0\1\3G\356.J\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0G\356.J\226T\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 352 recvmsg(6, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0G\356.J\226T\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(6) = 0 time([1244589639]) = 1244589639 time([1244589639]) = 1244589639 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl(6, F_GETFL) = 0x2 (flags O_RDWR) fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 288465}, NULL) = 0 poll([{fd=6, events=POLLOUT}], 1, 0) = 1 ([{fd=6, revents=POLLOUT}]) sendto(6, "|S\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=6, events=POLLIN}], 1, 5000) = 1 ([{fd=6, revents=POLLERR}]) close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 connect(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 28) = 0 fcntl(6, F_GETFL) = 0x2 (flags O_RDWR) fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 290007}, NULL) = 0 poll([{fd=6, events=POLLOUT}], 1, 0) = 1 ([{fd=6, revents=POLLOUT}]) sendto(6, "|S\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=6, events=POLLIN}], 1, 5000) = 1 ([{fd=6, revents=POLLIN}]) ioctl(6, FIONREAD, [102]) = 0 recvfrom(6, "|S\205\200\0\1\0\1\0\1\0\1\4auth\6server\16mydomai"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 102 close(6) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 6 fcntl(6, F_SETFD, FD_CLOEXEC) = 0 setsockopt(6, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0 fcntl(6, F_GETFL) = 0x2 (flags O_RDWR) fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(6, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, 16) = -1 EINPROGRESS (Operation now in progress) poll([{fd=6, events=POLLOUT|POLLERR|POLLHUP}], 1, 10000) = 1 ([{fd=6, revents=POLLOUT}]) getpeername(6, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, [9292868537599131664]) = 0 fcntl(6, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) fcntl(6, F_SETFL, O_RDWR) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 write(6, "0S\2\1\1`N\2\1\3\0045cn=kadmin_service,ou"..., 85) = 85 poll([{fd=6, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=6, revents=POLLIN}]) read(6, "0\f\2\1\1a\7\n", 8) = 8 read(6, "\1\0\4\0\4\0", 6) = 6 time(NULL) = 1244589639 socket(PF_NETLINK, SOCK_RAW, 0) = 7 bind(7, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(7, {sa_family=AF_NETLINK, pid=21654, groups=00000000}, [12]) = 0 time(NULL) = 1244589639 sendto(7, "\24\0\0\0\26\0\1\3G\356.J\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(7, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0G\356.J\226T\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 352 recvmsg(7, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0G\356.J\226T\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(7) = 0 time([1244589639]) = 1244589639 time([1244589639]) = 1244589639 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7 connect(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl(7, F_GETFL) = 0x2 (flags O_RDWR) fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 317854}, NULL) = 0 poll([{fd=7, events=POLLOUT}], 1, 0) = 1 ([{fd=7, revents=POLLOUT}]) sendto(7, "`C\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=7, events=POLLIN}], 1, 5000) = 1 ([{fd=7, revents=POLLERR}]) close(7) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7 connect(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 28) = 0 fcntl(7, F_GETFL) = 0x2 (flags O_RDWR) fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 319380}, NULL) = 0 poll([{fd=7, events=POLLOUT}], 1, 0) = 1 ([{fd=7, revents=POLLOUT}]) sendto(7, "`C\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=7, events=POLLIN}], 1, 5000) = 1 ([{fd=7, revents=POLLIN}]) ioctl(7, FIONREAD, [102]) = 0 recvfrom(7, "`C\205\200\0\1\0\1\0\1\0\1\4auth\6server\16mydomai"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 102 close(7) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 7 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 setsockopt(7, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(7, SOL_TCP, TCP_NODELAY, [1], 4) = 0 fcntl(7, F_GETFL) = 0x2 (flags O_RDWR) fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(7, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, 16) = -1 EINPROGRESS (Operation now in progress) poll([{fd=7, events=POLLOUT|POLLERR|POLLHUP}], 1, 10000) = 1 ([{fd=7, revents=POLLOUT}]) getpeername(7, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, [9292868537599131664]) = 0 fcntl(7, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) fcntl(7, F_SETFL, O_RDWR) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 write(7, "0S\2\1\1`N\2\1\3\0045cn=kadmin_service,ou"..., 85) = 85 poll([{fd=7, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=7, revents=POLLIN}]) read(7, "0\f\2\1\1a\7\n", 8) = 8 read(7, "\1\0\4\0\4\0", 6) = 6 time(NULL) = 1244589639 socket(PF_NETLINK, SOCK_RAW, 0) = 8 bind(8, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(8, {sa_family=AF_NETLINK, pid=21654, groups=00000000}, [12]) = 0 time(NULL) = 1244589639 sendto(8, "\24\0\0\0\26\0\1\3G\356.J\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(8, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\24\0\2\0G\356.J\226T\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 352 recvmsg(8, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0G\356.J\226T\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20 close(8) = 0 time([1244589639]) = 1244589639 time([1244589639]) = 1244589639 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 8 connect(8, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0 fcntl(8, F_GETFL) = 0x2 (flags O_RDWR) fcntl(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 347926}, NULL) = 0 poll([{fd=8, events=POLLOUT}], 1, 0) = 1 ([{fd=8, revents=POLLOUT}]) sendto(8, "\335\356\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=8, events=POLLIN}], 1, 5000) = 1 ([{fd=8, revents=POLLERR}]) close(8) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 8 connect(8, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, 28) = 0 fcntl(8, F_GETFL) = 0x2 (flags O_RDWR) fcntl(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 gettimeofday({1244589639, 349495}, NULL) = 0 poll([{fd=8, events=POLLOUT}], 1, 0) = 1 ([{fd=8, revents=POLLOUT}]) sendto(8, "\335\356\1\0\0\1\0\0\0\0\0\0\4auth\6server\16mydomai"..., 48, MSG_NOSIGNAL, NULL, 0) = 48 poll([{fd=8, events=POLLIN}], 1, 5000) = 1 ([{fd=8, revents=POLLIN}]) ioctl(8, FIONREAD, [102]) = 0 recvfrom(8, "\335\356\205\200\0\1\0\1\0\1\0\1\4auth\6server\16mydomai"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("192.168.1.1")}, [16]) = 102 close(8) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 8 fcntl(8, F_SETFD, FD_CLOEXEC) = 0 setsockopt(8, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(8, SOL_TCP, TCP_NODELAY, [1], 4) = 0 fcntl(8, F_GETFL) = 0x2 (flags O_RDWR) fcntl(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(8, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, 16) = -1 EINPROGRESS (Operation now in progress) poll([{fd=8, events=POLLOUT|POLLERR|POLLHUP}], 1, 10000) = 1 ([{fd=8, revents=POLLOUT}]) getpeername(8, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("192.168.1.107")}, [9292868537599131664]) = 0 fcntl(8, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK) fcntl(8, F_SETFL, O_RDWR) = 0 time(NULL) = 1244589639 time(NULL) = 1244589639 write(8, "0S\2\1\1`N\2\1\3\0045cn=kadmin_service,ou"..., 85) = 85 poll([{fd=8, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=8, revents=POLLIN}]) read(8, "0\f\2\1\1a\7\n", 8) = 8 read(8, "\1\0\4\0\4\0", 6) = 6 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 time(NULL) = 1244589639 write(8, "0x\2\1\2cs\4(cn=krbcontainer,dc=mydo"..., 122) = 122 gettimeofday({1244589639, 380494}, NULL) = 0 poll([{fd=8, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 300000) = 1 ([{fd=8, revents=POLLIN}]) read(8, "0\f\2\1\2e\7\n", 8) = 8 read(8, "\1\0\4\0\4\0", 6) = 6 time(NULL) = 1244589639 time(NULL) = 1244589639 write(8, "0\201\241\2\1\3h\201\233\4>cn=MYDOMAIN.NET"..., 164) = 164 poll([{fd=8, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1 ([{fd=8, revents=POLLIN}]) read(8, "0\201\225\2\1\3i\201", 8) = 8 read(8, "\217\n\1D\4\0\4\201\207The entry cn=MYDOMAIN,c"..., 144) = 144 time(NULL) = 1244589639 write(2, "kdb5_util: while creating realm "..., 45kdb5_util: while creating realm object entry ) = 45 write(2, "while creating database '/usr/lo"..., 74while creating database '/usr/local/var/krb5/MYDOMAIN.NET/principal') = 74 write(2, "\n", 1 ) = 1 exit_group(1) = ? happy to provide any/all additional info -- juest not clear, as yet, where to look :-/ From vilas.tadoori.ext at siemens.com Thu Jun 11 06:32:23 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Thu, 11 Jun 2009 06:32:23 -0400 Subject: Questions of webauthentication on kerberos Message-ID: <6344D3A1F3677A429F994D643E17F84F145A872B14@USCIMMBX001.net.plm.eds.com> Dear All, I am looking for some kind of answer on this question. Or please guide me if this is not the correct forum to ask? Thanks Vilas ________________________________ From: Tadoori (EXT), Vilas Sent: Tuesday, June 09, 2009 12:10 PM To: 'kerberos at mit.edu' Subject: Questions of webauthentication on kerberos Dear All, We have the following scenario. We have two war files login and identity that we install them on an HTTP server like (tom cat, apache) or an app server like (weblogic and websphere). We are looking for a solution where the user logs in using the login service present on the hosted login.war file and upon login the user should get a TGT from the KDC and is directed to the Identity service hosted on the Identity.war file. The identity service would then decrypt the TGT and then grant the user access. Is it possible to register the login.war and Identity.war files as services in the Kerberos database? Please advice an alternative solution if the above is not possible. Thanks V. From hans at woefdram.nl Mon Jun 15 04:03:55 2009 From: hans at woefdram.nl (Hans van Zijst) Date: Mon, 15 Jun 2009 10:03:55 +0200 Subject: Problem: passwordless SSH-login with Kerberos doesn't work Message-ID: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> Hi, We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well. I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password. Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :) A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory: host/server.staff.xxxxx.nl at STAFF.XXXXX.NL host/client.staff.xxxxx.nl at STAFF.XXXXX.NL and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides. Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful. This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse map) and the name and IP address of the AD server is in /etc/hosts. This is the SSH debug log when I try to connect: -----[ ssh client log ]----- ssh -vvvK thisuser at server.staff.xxxxx.nl OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22. debug1: Connection established. debug1: identity file /home/thisuser/.ssh/identity type -1 debug1: identity file /home/thisuser/.ssh/id_rsa type -1 debug1: identity file /home/thisuser/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug2: fd 3 setting O_NONBLOCK debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 506/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key. debug1: Found key in /home/thisuser/.ssh/known_hosts:3 debug2: bits set: 528/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/thisuser/.ssh/identity ((nil)) debug2: key: /home/thisuser/.ssh/id_rsa ((nil)) debug2: key: /home/thisuser/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/thisuser/.ssh/identity debug3: no such identity: /home/thisuser/.ssh/identity debug1: Trying private key: /home/thisuser/.ssh/id_rsa debug3: no such identity: /home/thisuser/.ssh/id_rsa debug1: Trying private key: /home/thisuser/.ssh/id_dsa debug3: no such identity: /home/thisuser/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). ----- ----- And here's the log (at DEBUG level) of the SSH server: -----[ ssh server log ]----- debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 debug1: Forked child 2475. debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 35195 debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug1: PAM: initializing for "thisuser" debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" debug1: PAM: setting PAM_TTY to "ssh" Failed none for thisuser from 10.115.193.8 port 35195 ssh2 debug1: Unspecified GSS failure. Minor code may provide more information\nNo principal in keytab matches desired name\n debug1: do_cleanup debug1: PAM: cleanup ----- ----- This is my SSH config: -----[ /etc/ssh/sshd_config ]----- # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH #LogLevel INFO LogLevel DEBUG # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options KerberosAuthentication yes #KerberosGetAFSToken no KerberosOrLocalPasswd no KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes ----- ----- I configured /etc/krb5.conf as follows: -----[ /etc/krb5.conf ]----- [logging] default = FILE:/var/log/krb5-lib.log kdc = FILE:/var/log/krb5-kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAFF.XXXXX.NL default_keytab_name = FILE:/etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] STAFF.XXXXX.NL = { kdc = zbdc01 admin_server = zbdc01 } [domain_realm] .staff.xxxxx.nl = STAFF.XXXXX.NL staff.xxxxx.nl = STAFF.XXXXX.NL [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = true } ----- ----- Kind regards, Hans van Zijst From Charles.Breite at altertrading.com Mon Jun 15 14:30:39 2009 From: Charles.Breite at altertrading.com (Charles Breite) Date: Mon, 15 Jun 2009 13:30:39 -0500 Subject: Keytab server principal cuts off at @ Message-ID: <5D490E0402B4D14F836B5C4436D5949A8AD654@VMEXCHANGE2.alterscrap.com> Hi All, I have a strange problem and hope someone can help.... I have a new installation of Kerberos 5 release 1.6.2 and we have this working on all of our production servers but this server Continues to fail to authenticate. What I see in the logs for the failure is [Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(1485): [client 10.10.100.29] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(940): [client 10.10.100.29] Using HTTP/servername.domain.com@ as server principal for password verification [Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(680): [client 10.10.100.29] Trying to get TGT for user charlesb at Domain.COM [Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(594): [client 10.10.100.29] Trying to verify authenticity of KDC using principal HTTP/servername.domain.com@ [Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(609): [client 10.10.100.29] krb5_get_credentials() failed when verifying KDC [Mon Jun 15 13:08:52 2009] [error] [client 10.10.100.29] failed to verify krb5 credentials: Server not found in Kerberos database [Mon Jun 15 13:08:52 2009] [debug] src/mod_auth_kerb.c(1019): [client 10.10.100.29] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL) I am wondering if anyone has seen this where the principal is cutoff....I have regenerated the keytab several times and re-checked the windows accounts we are using for the auth.... Shouldn't the principal be HTTP/servername.domain.com at domain.com Apache config is: ServerName servername.domain.com ServerAlias servername.domain.com ServerAlias servername DocumentRoot /usr/local/nagios/share ErrorLog /var/log/apache2/nagios_error.log TransferLog /var/log/apache2/nagios_access.log LogLevel Debug ScriptAlias /nagios/cgi-bin/ "/usr/local/nagios/sbin/" Options ExecCGI Order allow,deny Allow from all AuthType Kerberos AuthName "Nagios" Krb5Keytab /etc/apache2/keytabs/HTTP.servername.keytab KrbAuthRealms DOMAIN.COM KrbServiceName HTTP KrbVerifyKDC on KrbMethodNegotiate off KrbMethodK5Passwd on AuthGroupFile /usr/local/nagios/web_groups Require group nagios Options FollowSymLinks Order allow,deny Allow from all AuthType Kerberos AuthName "Nagios" Krb5Keytab /etc/apache2/keytabs/HTTP.servername.keytab KrbAuthRealms DOMAIN.COM KrbServiceName HTTP KrbVerifyKDC on KrbMethodNegotiate off KrbMethodK5Passwd on AuthGroupFile /usr/local/nagios/web_groups Require group nagios I am fairly new to Kerberos so I apologize if I am not seeing something that I should be.... Thanks! From miguel.sanders at arcelormittal.com Mon Jun 15 14:43:48 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Mon, 15 Jun 2009 20:43:48 +0200 Subject: Problem: passwordless SSH-login with Kerberos doesn't work In-Reply-To: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> References: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206C45FEE@GEN-MXB-V04.msad.arcelor.net> Hans Are you attempting Kerberos based password authentication or single sign on? Could also give the sshd trace (-ddd)? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Hans van Zijst Verzonden: maandag 15 juni 2009 10:04 Aan: kerberos at mit.edu Onderwerp: Problem: passwordless SSH-login with Kerberos doesn't work Hi, We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well. I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password. Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :) A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory: host/server.staff.xxxxx.nl at STAFF.XXXXX.NL host/client.staff.xxxxx.nl at STAFF.XXXXX.NL and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides. Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful. This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse map) and the name and IP address of the AD server is in /etc/hosts. This is the SSH debug log when I try to connect: -----[ ssh client log ]----- ssh -vvvK thisuser at server.staff.xxxxx.nl OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22. debug1: Connection established. debug1: identity file /home/thisuser/.ssh/identity type -1 debug1: identity file /home/thisuser/.ssh/id_rsa type -1 debug1: identity file /home/thisuser/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug2: fd 3 setting O_NONBLOCK debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q== debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==,diffie-hellman-group-exchange-sha256, gss-gex-sha1-toWM5Slw5Ew8Mqkay+diffie-hellman-group-exchange-sha1,diffie gss-gex-sha1-toWM5Slw5Ew8Mqkay+-hellman-group14-sha1,diffie-hellman-grou gss-gex-sha1-toWM5Slw5Ew8Mqkay+p1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 506/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key. debug1: Found key in /home/thisuser/.ssh/known_hosts:3 debug2: bits set: 528/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/thisuser/.ssh/identity ((nil)) debug2: key: /home/thisuser/.ssh/id_rsa ((nil)) debug2: key: /home/thisuser/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard-interactive debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard-interactive debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/thisuser/.ssh/identity debug3: no such identity: /home/thisuser/.ssh/identity debug1: Trying private key: /home/thisuser/.ssh/id_rsa debug3: no such identity: /home/thisuser/.ssh/id_rsa debug1: Trying private key: /home/thisuser/.ssh/id_dsa debug3: no such identity: /home/thisuser/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). ----- ----- And here's the log (at DEBUG level) of the SSH server: -----[ ssh server log ]----- debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 debug1: Forked child 2475. debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 35195 debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug1: PAM: initializing for "thisuser" debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" debug1: PAM: setting PAM_TTY to "ssh" Failed none for thisuser from 10.115.193.8 port 35195 ssh2 debug1: Unspecified GSS failure. Minor code may provide more information\nNo principal in keytab matches desired name\n debug1: do_cleanup debug1: PAM: cleanup ----- ----- This is my SSH config: -----[ /etc/ssh/sshd_config ]----- # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH #LogLevel INFO LogLevel DEBUG # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options KerberosAuthentication yes #KerberosGetAFSToken no KerberosOrLocalPasswd no KerberosTicketCleanup yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes ----- ----- I configured /etc/krb5.conf as follows: -----[ /etc/krb5.conf ]----- [logging] default = FILE:/var/log/krb5-lib.log kdc = FILE:/var/log/krb5-kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAFF.XXXXX.NL default_keytab_name = FILE:/etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] STAFF.XXXXX.NL = { kdc = zbdc01 admin_server = zbdc01 } [domain_realm] .staff.xxxxx.nl = STAFF.XXXXX.NL staff.xxxxx.nl = STAFF.XXXXX.NL [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = true } ----- ----- Kind regards, Hans van Zijst ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From ssorce at redhat.com Mon Jun 15 18:41:30 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Jun 2009 18:41:30 -0400 Subject: Problem: passwordless SSH-login with Kerberos doesn't work In-Reply-To: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> References: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> Message-ID: <1245105690.14254.56.camel@localhost.localdomain> On Mon, 2009-06-15 at 10:03 +0200, Hans van Zijst wrote: > And here's the log (at DEBUG level) of the SSH server: > > -----[ ssh server log ]----- > debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 > debug1: Forked child 2475. > debug1: inetd sockets after dupping: 3, 3 > Connection from 10.115.193.8 port 35195 > debug1: Client protocol version 2.0; client software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > debug1: PAM: initializing for "thisuser" > debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" > debug1: PAM: setting PAM_TTY to "ssh" > Failed none for thisuser from 10.115.193.8 port 35195 ssh2 > debug1: Unspecified GSS failure. Minor code may provide more > information\nNo principal in keytab matches desired name\n > debug1: do_cleanup > debug1: PAM: cleanup Clearly the ssh server does not agree about what is the right name. The hostname of the machine must the same name you set in the keytab. That's what sshd uses (probably through gethostname()) to determine what principal name to search for in the keytab. Simo. -- Simo Sorce * Red Hat, Inc * New York From Nicolas.Williams at sun.com Mon Jun 15 18:49:16 2009 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Mon, 15 Jun 2009 17:49:16 -0500 Subject: Problem: passwordless SSH-login with Kerberos doesn't work In-Reply-To: <1245105690.14254.56.camel@localhost.localdomain> References: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> <1245105690.14254.56.camel@localhost.localdomain> Message-ID: <20090615224916.GA1308@Sun.COM> On Mon, Jun 15, 2009 at 06:41:30PM -0400, Simo Sorce wrote: > > debug1: Unspecified GSS failure. Minor code may provide more > > information\nNo principal in keytab matches desired name\n > > Clearly the ssh server does not agree about what is the right name. > > The hostname of the machine must the same name you set in the keytab. > > That's what sshd uses (probably through gethostname()) to determine what > principal name to search for in the keytab. Using GSS_C_NO_CREDENTIAL (or a credential for GSS_C_NO_NAME) for the acceptor credential has its advantages. From simon at sxw.org.uk Mon Jun 15 19:19:48 2009 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 16 Jun 2009 00:19:48 +0100 Subject: Problem: passwordless SSH-login with Kerberos doesn't work In-Reply-To: <1245105690.14254.56.camel@localhost.localdomain> References: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> <1245105690.14254.56.camel@localhost.localdomain> Message-ID: > > That's what sshd uses (probably through gethostname()) to determine > what > principal name to search for in the keytab. My GSSAPI KeyExchange patches (at http://www.sxw.org.uk/computing/patches/openssh.html) add support for a 'GSSAPIStrictAcceptorCheck' option, which can be used to permit the use of any principal within the keytab. Debian, like many other distributors, ship with that patch as standard. Cheers, Simon. From simon at sxw.org.uk Tue Jun 16 03:37:00 2009 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 16 Jun 2009 08:37:00 +0100 Subject: Keytab server principal cuts off at @ In-Reply-To: <5D490E0402B4D14F836B5C4436D5949A8AD654@VMEXCHANGE2.alterscrap.com> References: <5D490E0402B4D14F836B5C4436D5949A8AD654@VMEXCHANGE2.alterscrap.com> Message-ID: <4E2D3F15-2F01-4788-AE6E-AA0FC43FF269@sxw.org.uk> On 15 Jun 2009, at 19:30, Charles Breite wrote: > I am wondering if anyone has seen this where the principal is > cutoff....I have regenerated the keytab several times and re-checked > the > windows accounts we are using for the auth.... Shouldn't the principal > be HTTP/servername.domain.com at domain.com A lack of a realm usually means that Kerberos is attempting to find the realm using referrals. Have you got a default realm set in your krb5.conf? S. From Tim.Alsop at CyberSafe.com Tue Jun 16 06:05:30 2009 From: Tim.Alsop at CyberSafe.com (Tim Alsop) Date: Tue, 16 Jun 2009 11:05:30 +0100 Subject: cross domain Integrated Windows Auth (aka SPNEGO) In-Reply-To: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDE8D@exchange.cybersafe.local> References: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDE8D@exchange.cybersafe.local> Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDF21@exchange.cybersafe.local> Hello again. I only received one response to my email below, so I wondered if anybody else has any experience of this setup and how I can solve it ? The response I received mentioned using netdom with /addtln parameter, but this will only work when AD and non-AD realm are involved. In our case there is only AD being used and not MIT KDC or Heimdal KDC. Thanks, Tim -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tim Alsop Sent: 04 June 2009 20:01 To: kerberos at mit.edu Subject: cross domain Integrated Windows Auth (aka SPNEGO) Hi, One of our customers has a problem with Integrated Windows Authentication in IE browser. They have two AD domains which are part of different forests, so external trust is used. The workstation is joined to domain1 and user logs onto this domain, then opens browser to access web server which is on a server joined to domain2. This is not working, but if workstation on domain2 is used the logon works fine. >From wireshark trace on workstation we can see a TGS-REQ being sent to domain1 for the HTTP/@ and of course this principal is not found in domain1 so principal not found is returned - the browser then uses NTLM and attempts to authenticate, but the web server we are using does not support NTLM. Is there any way we can configure workstation so that it knows which domain the webserver is in ? We found a section in registry which looks like it might be the correct place to configure this, but it didn't help :( Thanks in advance for your help, Tim ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From Matthew.GARRETT at external.total.com Tue Jun 16 07:24:13 2009 From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com) Date: Tue, 16 Jun 2009 12:24:13 +0100 Subject: Kerberos User Stats never get updated Message-ID: Folks Using MIT Kerberos Server on a RedHat Linux Server Using kadmin getprinc USERNAME Principal: XXXX Expiration date: [never] Last password change: Mon Jun 15 09:31:19 BST 2009 Password expiration date: Sun Sep 13 09:31:19 BST 2009 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Mon Jun 15 09:31:19 BST 2009 (XXXXX) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 The following stats never seem to get updated Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Users can login fine and there are no real issues but would be nice to see these stats been updated Does any body have any pointers ? Thanks Matthew Registered in England and Wales No.811900????????? Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.? If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. From raeburn at MIT.EDU Tue Jun 16 07:56:55 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 16 Jun 2009 07:56:55 -0400 Subject: Kerberos User Stats never get updated In-Reply-To: References: Message-ID: <90A915B9-F0B3-4B0E-AD48-8BA39BC52E8D@mit.edu> On Jun 16, 2009, at 07:24, Matthew.GARRETT at external.total.com wrote: > Using MIT Kerberos Server on a RedHat Linux Server > The following stats never seem to get updated > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 The KDC normally doesn't even get such information, but with preauthentication in use it may be possible to figure it out. However, the KDC is also normally built to access the database in read- only fashion, so it doesn't actually update these fields even if the information is available. Third, even if the KDC is rebuilt with the options to make it update the database (and I'm not 100% sure if it still compiles in that mode), at least in the db2-based database implementation, the statistics from the master server would be pushed out to the slaves with the rest of the database info, and the statistics from the slaves would simply be discarded; the LDAP-based database would better support updates from both master and slaves, but with a race condition (two KDCs could try incrementing the failed- attempt counter simultaneously by both reading the old value at the same time, and then both writing the incremented value, causing one increment to be lost). So, in short, the current implementation doesn't really support these fields well at all. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From ssorce at redhat.com Tue Jun 16 08:18:05 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Jun 2009 08:18:05 -0400 Subject: Kerberos User Stats never get updated In-Reply-To: <90A915B9-F0B3-4B0E-AD48-8BA39BC52E8D@mit.edu> References: <90A915B9-F0B3-4B0E-AD48-8BA39BC52E8D@mit.edu> Message-ID: <1245154685.14254.74.camel@localhost.localdomain> On Tue, 2009-06-16 at 07:56 -0400, Ken Raeburn wrote: > (two KDCs could try incrementing the failed- > attempt counter simultaneously by both reading the old value at the > same time, and then both writing the incremented value, causing one > increment to be lost). This could be detected and fixed easily, all you'd have to do is combine a delete and add operation in a single modify where the exact value retrieved is deleted and the incremented value added. If a race condition occur, one of the KDCs would see the operation fail as it would try to delete with a wrong value. The operation could then be repeated, for a max of 3-5 times or so, and only then the KDC would give up, maybe logging the issue in the log file. In a multi-master case, this technique wouldn't work as both changes against 2 masters would succeed, so in that case an increment would be lost when later the replication conflict resolution will discard one of the 2 changes (in theory special code in the replication code could be written with understanding of how this specific attribute operate and increments could be summed up, but it would probably be a lot of spcial code for not much gain). This seem an issue only wrt failure counts, however if they are low enough, this shouldn't be a big concern. It seem very unlikely that under normal circumstances 2 KDCs will get a preauth request for the same principal. Someone could time them appropriately to multiply the number of chances to guess a password by the number of KDCs, but the timing would be pretty hard to achieve I guess, and not much would be gained. Simo. -- Simo Sorce * Red Hat, Inc * New York From Charles.Breite at altertrading.com Tue Jun 16 08:19:09 2009 From: Charles.Breite at altertrading.com (Charles Breite) Date: Tue, 16 Jun 2009 07:19:09 -0500 Subject: Keytab server principal cuts off at @ In-Reply-To: <4E2D3F15-2F01-4788-AE6E-AA0FC43FF269@sxw.org.uk> References: <5D490E0402B4D14F836B5C4436D5949A8AD654@VMEXCHANGE2.alterscrap.com> <4E2D3F15-2F01-4788-AE6E-AA0FC43FF269@sxw.org.uk> Message-ID: <5D490E0402B4D14F836B5C4436D5949A8AD6F5@VMEXCHANGE2.alterscrap.com> Yes is my krb5.conf... [libdefaults] default_realm = DOMAIN.COM clockskew = 300 #dns_lookup_kdc = true #dns_lookup_realm = true # We have to have the realm spec here still for CAS [realms] DOMAIN.COM = { kdc = vmad1.domain.com default_domain = domain.com admin_server = vmad1.domain.com } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] DOMAIN = DOMAIN.COM .DOMAIN = DOMAIN.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 use_shmem = sshd } -----Original Message----- From: Simon Wilkinson [mailto:simon at sxw.org.uk] Sent: Tuesday, June 16, 2009 2:37 AM To: Charles Breite Cc: kerberos at mit.edu Subject: Re: Keytab server principal cuts off at @ On 15 Jun 2009, at 19:30, Charles Breite wrote: > I am wondering if anyone has seen this where the principal is > cutoff....I have regenerated the keytab several times and re-checked > the > windows accounts we are using for the auth.... Shouldn't the principal > be HTTP/servername.domain.com at domain.com A lack of a realm usually means that Kerberos is attempting to find the realm using referrals. Have you got a default realm set in your krb5.conf? S. From raeburn at MIT.EDU Tue Jun 16 08:40:36 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 16 Jun 2009 08:40:36 -0400 Subject: Kerberos User Stats never get updated In-Reply-To: <1245154685.14254.74.camel@localhost.localdomain> References: <90A915B9-F0B3-4B0E-AD48-8BA39BC52E8D@mit.edu> <1245154685.14254.74.camel@localhost.localdomain> Message-ID: <95AB5C35-25D5-4885-AB6C-FB5C129FF400@mit.edu> On Jun 16, 2009, at 08:18, Simo Sorce wrote: > This could be detected and fixed easily, all you'd have to do is > combine > a delete and add operation in a single modify where the exact value > retrieved is deleted and the incremented value added. If a race > condition occur, one of the KDCs would see the operation fail as it > would try to delete with a wrong value. The operation could then be > repeated, for a max of 3-5 times or so, and only then the KDC would > give > up, maybe logging the issue in the log file. That would require the KDC/database interface to be a bit smarter than it is now. :-) Currently, it's pretty much, "here's the new record". > In a multi-master case, this technique wouldn't work as both changes > against 2 masters would succeed, so in that case an increment would be > lost when later the replication conflict resolution will discard one > of > the 2 changes (in theory special code in the replication code could be > written with understanding of how this specific attribute operate and > increments could be summed up, but it would probably be a lot of > spcial > code for not much gain). This seem an issue only wrt failure counts, > however if they are low enough, this shouldn't be a big concern. It could also be designed differently so the data don't conflict -- say, assigning each KDC a UUID and maintaining {KDC-UUID, fail-count} pairs in the database for each principal, or sets of {KDC-UUID, fail- date} pairs and counting the records. (The latter more easily allows for a policy like, "lock out an account with X failures in the past N hours".) Depending on the strictness of local security policies, it may be important to get accurate counts and not permit an attacker more than the designated number of chances, though the latter is trickier to do with only loose synchronization. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From ssorce at redhat.com Tue Jun 16 09:10:19 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Jun 2009 09:10:19 -0400 Subject: Kerberos User Stats never get updated In-Reply-To: <95AB5C35-25D5-4885-AB6C-FB5C129FF400@mit.edu> References: <90A915B9-F0B3-4B0E-AD48-8BA39BC52E8D@mit.edu> <1245154685.14254.74.camel@localhost.localdomain> <95AB5C35-25D5-4885-AB6C-FB5C129FF400@mit.edu> Message-ID: <1245157819.14254.103.camel@localhost.localdomain> On Tue, 2009-06-16 at 08:40 -0400, Ken Raeburn wrote: > On Jun 16, 2009, at 08:18, Simo Sorce wrote: > > This could be detected and fixed easily, all you'd have to do is > > combine > > a delete and add operation in a single modify where the exact value > > retrieved is deleted and the incremented value added. If a race > > condition occur, one of the KDCs would see the operation fail as it > > would try to delete with a wrong value. The operation could then be > > repeated, for a max of 3-5 times or so, and only then the KDC would > > give > > up, maybe logging the issue in the log file. > > That would require the KDC/database interface to be a bit smarter than > it is now. :-) > Currently, it's pretty much, "here's the new record". Yeah, I know, and that's a problem for other things as well :-/ For example "unrolling" krbExtraData into individual attributes would be a *huge* win for people that want to manage principals via normal ldap operations. What would be needed is to move the DAL a layer above, and not have it be a simple DB style interface. The backends would get requests that explicitly tell what information need to be changed, not just a new "blob" to store. Then each backend can decide on its own what is the best strategy to update data. The DB backend would probably just inherit the current code above the DAL layer and perform dumb updates, the LDAP driver could use a better schema for attributes the DB backend store in ExtraData and also perform operations against specific attributes more effciently. (No need to fetch the entry and perform compares to find out what really changed). > > In a multi-master case, this technique wouldn't work as both changes > > against 2 masters would succeed, so in that case an increment would be > > lost when later the replication conflict resolution will discard one > > of > > the 2 changes (in theory special code in the replication code could be > > written with understanding of how this specific attribute operate and > > increments could be summed up, but it would probably be a lot of > > spcial > > code for not much gain). This seem an issue only wrt failure counts, > > however if they are low enough, this shouldn't be a big concern. > > It could also be designed differently so the data don't conflict -- > say, assigning each KDC a UUID and maintaining {KDC-UUID, fail-count} > pairs in the database for each principal, or sets of {KDC-UUID, fail- > date} pairs and counting the records. (The latter more easily allows > for a policy like, "lock out an account with X failures in the past N > hours".) Yes the second might be a good idea, as it would also serve a bit as auditing data. But then you may need a thread that periodically cleans up the multi-value attribute. Although you can also decide to remove old values only when you are going to add new values and the number of values is past a certain threshold. This will require a new attribute though, because the current krbLastFAiledAuth is a generalizedTime and krbLoginFailedCount is an Integer, and both are single-value, so neither can hold this information. > Depending on the strictness of local security policies, it may be > important to get accurate counts and not permit an attacker more than > the designated number of chances, though the latter is trickier to do > with only loose synchronization. Yes a "brain split" installation where the LDAP servers currently do not communicate (and therefore can't replicate) could allow you to double/triple/etc.. the number of attacks, but at least with the process you described above you'd get an "audit trail" of what happened. For people that decide to use a multi-master approach that's probably going to be enough. If someone is more paranoid then they probably can point all KDCs at one server only so that replication issues cannot affect the count. Just a matter of choice and balance of performance/availability vs a minor policy issue. Simo. -- Simo Sorce * Red Hat, Inc * New York From alexvs at sumix.com Tue Jun 16 10:24:15 2009 From: alexvs at sumix.com (alexvs@sumix.com) Date: Tue, 16 Jun 2009 17:24:15 +0300 (EEST) Subject: PacketCable KDC Message-ID: <53131.193.110.184.121.1245162255.squirrel@webmail.dog.sumix.com> Anybody implemented a PacketCable KDC uses MIT? Can you help configure KDC for MTA? Thanks. From Charles.Breite at altertrading.com Tue Jun 16 12:07:57 2009 From: Charles.Breite at altertrading.com (Charles Breite) Date: Tue, 16 Jun 2009 11:07:57 -0500 Subject: Solved RE: Keytab server principal cuts off at @ In-Reply-To: <5D490E0402B4D14F836B5C4436D5949A8AD6F5@VMEXCHANGE2.alterscrap.com> References: <5D490E0402B4D14F836B5C4436D5949A8AD654@VMEXCHANGE2.alterscrap.com><4E2D3F15-2F01-4788-AE6E-AA0FC43FF269@sxw.org.uk> <5D490E0402B4D14F836B5C4436D5949A8AD6F5@VMEXCHANGE2.alterscrap.com> Message-ID: <5D490E0402B4D14F836B5C4436D5949A8AD774@VMEXCHANGE2.alterscrap.com> During the user mapping account creation you must name the login name as HTTP/username.domain.com. I was not using the FQDN since AD adds that at the end. End result is....HTTP/username.domain.com at domain.com. It had my keytab messed up. I can test the keytab successfully now. -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Charles Breite Sent: Tuesday, June 16, 2009 7:19 AM To: Simon Wilkinson Cc: kerberos at mit.edu Subject: RE: Keytab server principal cuts off at @ Yes is my krb5.conf... [libdefaults] default_realm = DOMAIN.COM clockskew = 300 #dns_lookup_kdc = true #dns_lookup_realm = true # We have to have the realm spec here still for CAS [realms] DOMAIN.COM = { kdc = vmad1.domain.com default_domain = domain.com admin_server = vmad1.domain.com } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] DOMAIN = DOMAIN.COM .DOMAIN = DOMAIN.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 1 use_shmem = sshd } -----Original Message----- From: Simon Wilkinson [mailto:simon at sxw.org.uk] Sent: Tuesday, June 16, 2009 2:37 AM To: Charles Breite Cc: kerberos at mit.edu Subject: Re: Keytab server principal cuts off at @ On 15 Jun 2009, at 19:30, Charles Breite wrote: > I am wondering if anyone has seen this where the principal is > cutoff....I have regenerated the keytab several times and re-checked > the > windows accounts we are using for the auth.... Shouldn't the principal > be HTTP/servername.domain.com at domain.com A lack of a realm usually means that Kerberos is attempting to find the realm using referrals. Have you got a default realm set in your krb5.conf? S. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From hans at woefdram.nl Tue Jun 16 04:37:03 2009 From: hans at woefdram.nl (Hans van Zijst) Date: Tue, 16 Jun 2009 10:37:03 +0200 Subject: Problem: passwordless SSH-login with Kerberos doesn't work In-Reply-To: References: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> Message-ID: <4A3759AF.3050705@woefdram.nl> Hi Miguel, Ultimately, I want to have single signon. I can do Kerberos password authentication now and that's already a huge step forward, but single signon is what I want. This is the sshd-trace of the server. I checked klist on my client and saw I only had the TGT. Then I attempted the ssh connection and checked again, this time I also had a ticket for the server. Looks like the keytab is ok then, doesn't it? Here's the trace: debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 772 debug2: parse_server_config: config /etc/ssh/sshd_config len 772 debug3: /etc/ssh/sshd_config:5 setting Port 22 debug3: /etc/ssh/sshd_config:9 setting Protocol 2 debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600 debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768 debug3: /etc/ssh/sshd_config:21 setting SyslogFacility AUTH debug3: /etc/ssh/sshd_config:23 setting LogLevel DEBUG debug3: /etc/ssh/sshd_config:26 setting LoginGraceTime 120 debug3: /etc/ssh/sshd_config:27 setting PermitRootLogin yes debug3: /etc/ssh/sshd_config:28 setting StrictModes yes debug3: /etc/ssh/sshd_config:30 setting RSAAuthentication yes debug3: /etc/ssh/sshd_config:35 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config:37 setting RhostsRSAAuthentication no debug3: /etc/ssh/sshd_config:39 setting HostbasedAuthentication no debug3: /etc/ssh/sshd_config:44 setting PermitEmptyPasswords no debug3: /etc/ssh/sshd_config:48 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:52 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:57 setting KerberosAuthentication yes debug3: /etc/ssh/sshd_config:60 setting KerberosOrLocalPasswd no debug3: /etc/ssh/sshd_config:61 setting KerberosTicketCleanup yes debug3: /etc/ssh/sshd_config:64 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config:65 setting GSSAPICleanupCredentials yes debug3: /etc/ssh/sshd_config:67 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:68 setting X11DisplayOffset 10 debug3: /etc/ssh/sshd_config:69 setting PrintMotd no debug3: /etc/ssh/sshd_config:70 setting PrintLastLog yes debug3: /etc/ssh/sshd_config:71 setting TCPKeepAlive yes debug3: /etc/ssh/sshd_config:78 setting AcceptEnv LANG LC_* debug3: /etc/ssh/sshd_config:80 setting Subsystem sftp /usr/lib/openssh/sftp-server debug3: /etc/ssh/sshd_config:82 setting UsePAM yes debug1: sshd version OpenSSH_5.1p1 Debian-5 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. socket: Address family not supported by protocol debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 772 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 50535 debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug2: fd 3 setting O_NONBLOCK debug3: privsep user:group 104:65534 debug1: permanently_set_uid: 104/65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug2: Network child is on pid 2204 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 513/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 490/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0xb8d2c768(271) debug3: mm_request_send entering: type 6 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user thisuser service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address 10.115.193.8. debug2: parse_server_config: config reprocess config len 772 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: input_userauth_request: setting up authctxt for thisuser debug3: mm_start_pam entering debug3: mm_request_send entering: type 48 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 48 debug1: PAM: initializing for "thisuser debug1: userauth-request for user thisuser service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 0 debug2: input_userauth_request: try method gssapi-with-mic debug3: mm_request_send entering: type 38 debug3: mm_request_receive_expect entering: type 39 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 48 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style=, role= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 38 debug1: Unspecified GSS failure. Minor code may provide more information No principal in keytab matches desired name debug3: mm_request_send entering: type 39 debug1: userauth-request for user thisuser service ssh-connection method gssapi-with-mic debug1: attempt 2 failures 0 debug2: input_userauth_request: try method gssapi-with-mic debug3: mm_request_receive entering debug1: userauth-request for user thisuser service ssh-connection method gssapi-with-mic debug1: attempt 3 failures 0 debug2: input_userauth_request: try method gssapi-with-mic Connection closed by 10.115.193.8 debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering Kind regards, Hans van Zijst miguel.sanders at arcelormittal.com wrote: > Hans > > Are you attempting Kerberos based password authentication or single sign on? > Could also give the sshd trace (-ddd)? > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Hans van Zijst > Verzonden: maandag 15 juni 2009 10:04 > Aan: kerberos at mit.edu > Onderwerp: Problem: passwordless SSH-login with Kerberos doesn't work > > Hi, > > We, a team of 6, administer tens of Linux servers. The historic heritage is that every team member has his own local account on every machine. > This is a nightmare of course, I don't have to elaborate on that :) Recently we decided to use our Active Directory domain for the Linux machines as well. > > I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM and got to the point where we all can login on to the SSH server using our Active Directory credentials. At login time, a TGT is automatically retrieved through PAM. From there, I thought, it should be easy to automatically log into SSH without being asked for a password. > > Obviously I was wrong... SSH keeps asking for a password, or exits with "permission denied" if I set KerberosOrLocalPassword to "no" in the server config. Help... :) > > A message in the ssh client-log ("No valid Key exchange context") seems to indicate a problem with a keytab. However, the keytabs seem to be working just fine. I created these two principals in Active Directory: > > host/server.staff.xxxxx.nl at STAFF.XXXXX.NL > host/client.staff.xxxxx.nl at STAFF.XXXXX.NL > > and exported them in a keytab file, without Windows complaining about anything. I copied them to /etc/krb5.keytab and if I check them with ktutil, the correct principal is there. I read a lot about Kerberos being very picky about the principal name being a hostname or FQDN, so I connect using the FQDN and put the FQDN in /etc/hosts on both sides. > > Can anyone please shed some light on this? I've Googled a lot, but haven't found anything useful. > > This is what I use. I installed 2 Debian Lenny machines, one as a workstation (X, Gnome, the whole shebang), one as a server (no X, only SSH really). Both are virtual machines, running in VirtualBox. They have their own dedicated IP addresses, registered in DNS (forward and reverse > map) and the name and IP address of the AD server is in /etc/hosts. > > This is the SSH debug log when I try to connect: > > -----[ ssh client log ]----- > ssh -vvvK thisuser at server.staff.xxxxx.nl > > OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22. > debug1: Connection established. > debug1: identity file /home/thisuser/.ssh/identity type -1 > debug1: identity file /home/thisuser/.ssh/id_rsa type -1 > debug1: identity file /home/thisuser/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > debug2: fd 3 setting O_NONBLOCK > debug1: Offering GSSAPI proposal: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay > gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA > gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA > gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei > gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ > gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ > gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx > gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q== > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay > gss-gex-sha1-toWM5Slw5Ew8Mqkay++al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiA > gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiA > gss-gex-sha1-toWM5Slw5Ew8Mqkay+NQ==,gss-group14-sha1-A/vxljAEU54gt9a48Ei > gss-gex-sha1-toWM5Slw5Ew8Mqkay+ANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ > gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ > gss-gex-sha1-toWM5Slw5Ew8Mqkay+==,gss-group14-sha1-bontcUwnM6aGfWCP21alx > gss-gex-sha1-toWM5Slw5Ew8Mqkay+Q==,diffie-hellman-group-exchange-sha256, > gss-gex-sha1-toWM5Slw5Ew8Mqkay+diffie-hellman-group-exchange-sha1,diffie > gss-gex-sha1-toWM5Slw5Ew8Mqkay+-hellman-group14-sha1,diffie-hellman-grou > gss-gex-sha1-toWM5Slw5Ew8Mqkay+p1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 132/256 > debug2: bits set: 506/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 3 > debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 1 > debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA host key. > debug1: Found key in /home/thisuser/.ssh/known_hosts:3 > debug2: bits set: 528/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/thisuser/.ssh/identity ((nil)) > debug2: key: /home/thisuser/.ssh/id_rsa ((nil)) > debug2: key: /home/thisuser/.ssh/id_dsa ((nil)) > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,gssapi,publickey,keyboard-interactive > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: gssapi,publickey,keyboard-interactive > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/thisuser/.ssh/identity > debug3: no such identity: /home/thisuser/.ssh/identity > debug1: Trying private key: /home/thisuser/.ssh/id_rsa > debug3: no such identity: /home/thisuser/.ssh/id_rsa > debug1: Trying private key: /home/thisuser/.ssh/id_dsa > debug3: no such identity: /home/thisuser/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > ----- ----- > > And here's the log (at DEBUG level) of the SSH server: > > -----[ ssh server log ]----- > debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 > debug1: Forked child 2475. > debug1: inetd sockets after dupping: 3, 3 Connection from 10.115.193.8 port 35195 > debug1: Client protocol version 2.0; client software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > debug1: PAM: initializing for "thisuser" > debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" > debug1: PAM: setting PAM_TTY to "ssh" > Failed none for thisuser from 10.115.193.8 port 35195 ssh2 > debug1: Unspecified GSS failure. Minor code may provide more information\nNo principal in keytab matches desired name\n > debug1: do_cleanup > debug1: PAM: cleanup > ----- ----- > > > This is my SSH config: > > -----[ /etc/ssh/sshd_config ]----- > # Package generated configuration file > # See the sshd(8) manpage for details > > # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: > #ListenAddress 0.0.0.0 > Protocol 2 > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > #Privilege Separation is turned on for security UsePrivilegeSeparation yes > > # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 > > # Logging > SyslogFacility AUTH > #LogLevel INFO > LogLevel DEBUG > > # Authentication: > LoginGraceTime 120 > PermitRootLogin yes > StrictModes yes > > RSAAuthentication yes > #PubkeyAuthentication yes > #AuthorizedKeysFile %h/.ssh/authorized_keys > > # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes > > # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no > > # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes > > # Kerberos options > KerberosAuthentication yes > #KerberosGetAFSToken no > KerberosOrLocalPasswd no > KerberosTicketCleanup yes > > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > #UseLogin no > AcceptEnv LANG LC_* > Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes > ----- ----- > > > I configured /etc/krb5.conf as follows: > > -----[ /etc/krb5.conf ]----- > [logging] > default = FILE:/var/log/krb5-lib.log > kdc = FILE:/var/log/krb5-kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = STAFF.XXXXX.NL > default_keytab_name = FILE:/etc/krb5.keytab > dns_lookup_realm = true > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > STAFF.XXXXX.NL = { > kdc = zbdc01 > admin_server = zbdc01 > } > > [domain_realm] > .staff.xxxxx.nl = STAFF.XXXXX.NL > staff.xxxxx.nl = STAFF.XXXXX.NL > > [login] > krb4_convert = false > krb4_get_tickets = false > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > validate = true > } > ----- ----- > > > > Kind regards, > > Hans van Zijst > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > From hans at woefdram.nl Tue Jun 16 08:55:03 2009 From: hans at woefdram.nl (Hans van Zijst) Date: Tue, 16 Jun 2009 14:55:03 +0200 Subject: Problem: passwordless SSH-login with Kerberos doesn't work In-Reply-To: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> References: <4a36006b$0$27420$e4fe514c@dreader31.news.xs4all.nl> Message-ID: <4a379629$0$19294$e4fe514c@dreader28.news.xs4all.nl> Hi, Problem solved! Thanks to Miguel for giving me some hints. As usual, the problem was minor. It proved that the encryption method I used to create the keytab was wrong. Google served me several articles that stated I would have to use single DES. After a long struggle, I tried the Windows standard: arcfour. That did the trick. That'll teach me to follow articles just like that... :) Several articles urged me to use a useraccount instead of a computer account. I tried both and didn't notice any difference after everything was in place. The only difference I noticed was while exporting the keytab: you can map the principal to a user by simply providing the username. When using a computer account, you have to supply ktpass with the full path to the computer object. This is how I exported the keytab: ktpass -princ host/server.staff.xxxxx.nl at STAFF.XXXXX.NL -mapuser staff.xxxxx.nl/Werkstations/Networkoperations/Systems/server +rndPass -ptype KRB5_NT_SRV_HST -out server.keytab Then I copied this keytab to /etc/krb5.keytab on the server and everything worked. Kind regards, Hans van Zijst Hans van Zijst wrote: > Hi, > > We, a team of 6, administer tens of Linux servers. The historic heritage > is that every team member has his own local account on every machine. > This is a nightmare of course, I don't have to elaborate on that :) > Recently we decided to use our Active Directory domain for the Linux > machines as well. > > I installed 2 testmachines, configured MIT Kerberos, OpenLDAP and PAM > and got to the point where we all can login on to the SSH server using > our Active Directory credentials. At login time, a TGT is automatically > retrieved through PAM. From there, I thought, it should be easy to > automatically log into SSH without being asked for a password. > > Obviously I was wrong... SSH keeps asking for a password, or exits with > "permission denied" if I set KerberosOrLocalPassword to "no" in the > server config. Help... :) > > A message in the ssh client-log ("No valid Key exchange context") seems > to indicate a problem with a keytab. However, the keytabs seem to be > working just fine. I created these two principals in Active Directory: > > host/server.staff.xxxxx.nl at STAFF.XXXXX.NL > host/client.staff.xxxxx.nl at STAFF.XXXXX.NL > > and exported them in a keytab file, without Windows complaining about > anything. I copied them to /etc/krb5.keytab and if I check them with > ktutil, the correct principal is there. I read a lot about Kerberos > being very picky about the principal name being a hostname or FQDN, so I > connect using the FQDN and put the FQDN in /etc/hosts on both sides. > > Can anyone please shed some light on this? I've Googled a lot, but > haven't found anything useful. > > This is what I use. I installed 2 Debian Lenny machines, one as a > workstation (X, Gnome, the whole shebang), one as a server (no X, only > SSH really). Both are virtual machines, running in VirtualBox. They have > their own dedicated IP addresses, registered in DNS (forward and reverse > map) and the name and IP address of the AD server is in /etc/hosts. > > This is the SSH debug log when I try to connect: > > -----[ ssh client log ]----- > ssh -vvvK thisuser at server.staff.xxxxx.nl > > OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to server.staff.xxxxx.nl [10.115.193.26] port 22. > debug1: Connection established. > debug1: identity file /home/thisuser/.ssh/identity type -1 > debug1: identity file /home/thisuser/.ssh/id_rsa type -1 > debug1: identity file /home/thisuser/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > debug2: fd 3 setting O_NONBLOCK > debug1: Offering GSSAPI proposal: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ== > > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 132/256 > debug2: bits set: 506/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 3 > debug3: check_host_in_hostfile: filename /home/thisuser/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 1 > debug1: Host 'server.staff.zeelandnet.nl' is known and matches the RSA > host key. > debug1: Found key in /home/thisuser/.ssh/known_hosts:3 > debug2: bits set: 528/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/thisuser/.ssh/identity ((nil)) > debug2: key: /home/thisuser/.ssh/id_rsa ((nil)) > debug2: key: /home/thisuser/.ssh/id_dsa ((nil)) > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,gssapi,publickey,keyboard-interactive > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: gssapi,publickey,keyboard-interactive > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/thisuser/.ssh/identity > debug3: no such identity: /home/thisuser/.ssh/identity > debug1: Trying private key: /home/thisuser/.ssh/id_rsa > debug3: no such identity: /home/thisuser/.ssh/id_rsa > debug1: Trying private key: /home/thisuser/.ssh/id_dsa > debug3: no such identity: /home/thisuser/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > ----- ----- > > And here's the log (at DEBUG level) of the SSH server: > > -----[ ssh server log ]----- > debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 > debug1: Forked child 2475. > debug1: inetd sockets after dupping: 3, 3 > Connection from 10.115.193.8 port 35195 > debug1: Client protocol version 2.0; client software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > debug1: PAM: initializing for "thisuser" > debug1: PAM: setting PAM_RHOST to "client.staff.xxxxx.nl" > debug1: PAM: setting PAM_TTY to "ssh" > Failed none for thisuser from 10.115.193.8 port 35195 ssh2 > debug1: Unspecified GSS failure. Minor code may provide more > information\nNo principal in keytab matches desired name\n > debug1: do_cleanup > debug1: PAM: cleanup > ----- ----- > > > This is my SSH config: > > -----[ /etc/ssh/sshd_config ]----- > # Package generated configuration file > # See the sshd(8) manpage for details > > # What ports, IPs and protocols we listen for > Port 22 > # Use these options to restrict which interfaces/protocols sshd will > bind to > #ListenAddress :: > #ListenAddress 0.0.0.0 > Protocol 2 > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > #Privilege Separation is turned on for security > UsePrivilegeSeparation yes > > # Lifetime and size of ephemeral version 1 server key > KeyRegenerationInterval 3600 > ServerKeyBits 768 > > # Logging > SyslogFacility AUTH > #LogLevel INFO > LogLevel DEBUG > > # Authentication: > LoginGraceTime 120 > PermitRootLogin yes > StrictModes yes > > RSAAuthentication yes > #PubkeyAuthentication yes > #AuthorizedKeysFile %h/.ssh/authorized_keys > > # Don't read the user's ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh_known_hosts > RhostsRSAAuthentication no > # similar for protocol version 2 > HostbasedAuthentication no > # Uncomment if you don't trust ~/.ssh/known_hosts for > RhostsRSAAuthentication > #IgnoreUserKnownHosts yes > > # To enable empty passwords, change to yes (NOT RECOMMENDED) > PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues with > # some PAM modules and threads) > ChallengeResponseAuthentication no > > # Change to no to disable tunnelled clear text passwords > #PasswordAuthentication yes > > # Kerberos options > KerberosAuthentication yes > #KerberosGetAFSToken no > KerberosOrLocalPasswd no > KerberosTicketCleanup yes > > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > #UseLogin no > AcceptEnv LANG LC_* > Subsystem sftp /usr/lib/openssh/sftp-server > UsePAM yes > ----- ----- > > > I configured /etc/krb5.conf as follows: > > -----[ /etc/krb5.conf ]----- > [logging] > default = FILE:/var/log/krb5-lib.log > kdc = FILE:/var/log/krb5-kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = STAFF.XXXXX.NL > default_keytab_name = FILE:/etc/krb5.keytab > dns_lookup_realm = true > dns_lookup_kdc = true > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > STAFF.XXXXX.NL = { > kdc = zbdc01 > admin_server = zbdc01 > } > > [domain_realm] > .staff.xxxxx.nl = STAFF.XXXXX.NL > staff.xxxxx.nl = STAFF.XXXXX.NL > > [login] > krb4_convert = false > krb4_get_tickets = false > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > validate = true > } > ----- ----- > > > > Kind regards, > > Hans van Zijst From palexvs at gmail.com Tue Jun 16 08:47:20 2009 From: palexvs at gmail.com (alexvs) Date: Tue, 16 Jun 2009 05:47:20 -0700 (PDT) Subject: PacketCable KDC Message-ID: Anybody implemented a PacketCable KDC uses Heimdal, MIT, etc? could you tell me how configure KDC for MTA? Thanks. From hubert.chomette at unilim.fr Thu Jun 18 04:43:13 2009 From: hubert.chomette at unilim.fr (Hubert Chomette) Date: Thu, 18 Jun 2009 10:43:13 +0200 Subject: kerberos and windows XP home edition Message-ID: <97F549D8-8354-4A40-A74D-1996F083EFFB@unilim.fr> Hi I try to add a windows XP home edition on my realm and I've got issue. Same setup works with windows XP pro. Is there an incompatiblity with XP home or do I miss something with the configuration? thank's for your help regards, From cclausen at acm.org Thu Jun 18 09:39:39 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 18 Jun 2009 08:39:39 -0500 Subject: kerberos and windows XP home edition References: <97F549D8-8354-4A40-A74D-1996F083EFFB@unilim.fr> Message-ID: Hubert Chomette wrote: > I try to add a windows XP home edition on my realm and I've got issue. > Same setup works with windows XP pro. > Is there an incompatiblity with XP home or do I miss something with > the configuration? > thank's for your help I know that Windows XP Home systems do not support being joined to a Windows domain. I assume that this same limitation applies to Kerberos realms as well. < <1E393FB5-8557-4BBE-8896-5FCE67A6F41D@mit.edu> <62BB655E-AFB4-4C02-9B00-C6980E36D857@mit.edu> Message-ID: It seems that this patch didn't wind up in the recent kerberos release. Do you think somebody could review it for inclusion soon, so that it has a chance of making it into the next release? If any changes need to be made, please let me know and I will make them. Thanks! - a Ken Raeburn writes: > Sure. :) > At first glance it looks good, but I want to have a closer look > before committing it (unless someone else gets to it first). Thanks > for sending it in! > > Adam Megacz writes: > > Hi, would it be possible for the Kerberos maintainers to consider the > > patch below for inclusion in the main libkadm5 distribution? > > > > - a > > > > Adam Megacz writes: > >> Ken Raeburn writes: > >>>> I believe the future has already arrived. Current MIT code should > >>>> be capable of finding and using records like this: > >>>> > >>>> spam% dig _kerberos-adm._tcp.umich.edu srv > >>> > >>> This is used for the password-changing service, but unfortunately the > >>> RPC code used for the kadmin program still looks up admin_server, and > >>> uses the first IP address found when looking up that hostname. No > >>> DNS, one hostname, one address, no service-location plugin support, > >>> no IPv6. These do need to be fixed.... > >> > >> This should help. > >> > >> - a > >> > >> > >> diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c > >> index bb87f88..48b1792 100644 > >> --- a/src/lib/kadm5/alt_prof.c > >> +++ b/src/lib/kadm5/alt_prof.c > >> @@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, > >> params.admin_server = strdup(params_in->admin_server); > >> if (params.admin_server) > >> params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> - } else if (aprofile && > >> - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { > >> - params.admin_server = svalue; > >> - params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> + } else if (aprofile) { > >> + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { > >> + params.admin_server = svalue; > >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> + } else { > >> + struct addrlist addrlist; > >> + int i; > >> + krb5_data drealm; > >> + drealm.data = (void*)params.realm; > >> + drealm.length = strlen(params.realm); > >> + if (!krb5int_locate_server(context, &drealm, &addrlist, 0, > >> + "admin_server", "_kerberos-adm", 1, > >> + DEFAULT_KPASSWD_PORT, 0, 0)) { > >> + for (i=0;i >> + struct addrinfo *a = addrlist.addrs[i]; > >> + if (a->ai_family == AF_INET) { > >> + params.admin_server = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr)); > >> + params.kadmind_port = ntohs(sa2sin (a->ai_addr)->sin_port); > >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER; > >> + params.mask |= KADM5_CONFIG_KADMIND_PORT; > >> + break; > >> + } > >> + } > >> + } > >> + } > >> } > >> if (params.mask & KADM5_CONFIG_ADMIN_SERVER) { > >> char *p; > >> > >> ________________________________________________ > >> Kerberos mailing list Kerberos at mit.edu > >> https://mailman.mit.edu/mailman/listinfo/kerberos > >> > > > > -- > > > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > -- > From miguel.sanders at arcelormittal.com Tue Jun 23 03:29:42 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Tue, 23 Jun 2009 09:29:42 +0200 Subject: HostToRealm issue on Windows Message-ID: <7DF29B50FFF41848BB2281EC2E71A206C469A0@GEN-MXB-V04.msad.arcelor.net> Hi guys I'm currently facing a problem with the HostToRealm mapping on a Windows client machine in a cross realm setup. Let's consider the following setup REALMA.COM - AD realm (DNS suffix realma.com) REALMB.COM - MIT realm (DNS suffix realmb.com) Cross realm setup and working properly. (Tested by doing a SSPI ticket request for HTTP/somehost.realmb.com at REALMB.COM) HostToRealm mapping is set up properly in the registry of the Windows XP client machine so that .realmb.com is linked to REALMB.COM (don't know if this is really necessary since the realm name is the uppercase version of the DNS zone). Now there appears to be problem when using IE/Mozilla since either application will not append a realm AFAIK. Apparently, whenever the Windows XP client machine is attempting to ask for a service ticket HTTP/somehost.realmb.com, the TGS-REQ is sent to the REALMA.COM realm. I always thought that the [domain_realm] / HostToRealm section was searched by the client in order to know the realm that should addressed. As a result, the client libs would come to realize that somehost.realmb.com is linked to REALMB.COM and a cross realm ticket would be needed first. Unfortunately, this is not what is happening :( Any idea what is wrong with scenario above? Thanks for your help Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent From fmendez at qualitytech.com Tue Jun 23 11:04:38 2009 From: fmendez at qualitytech.com (Mendez, Franklyn) Date: Tue, 23 Jun 2009 11:04:38 -0400 Subject: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP. Message-ID: <5888FCB767AD5F41A65DC0DCFE91C921102C8B81@EDC-SUW-EXCH.edeltacom.biz> Hello all, I am thinking of configuring our Windows XP Prof workstation to authenticate against our Kerberos servers. I have so far configured them successfully though the use of ksetup.exe. I have mapped the user * to * and it works well authorizing these users that have already been created locally on the workstation. Ksetup can map 1 to 1 user and the use of the wildcard * for all; obviously ksetup doesn't help me much in terms of authorization. My next step is using the Openldap to authorize them and better control who logs into what workstation and manage group memberships. In my online searches I found a lot of third parties directory services, but many cost money. I want to use my existing LDAP setup. We currently have Solaris, *nix, AIX and Red Hat Linux server being authenticated and authorized by our KRB5 and LDAP DBs. Have anyone done this before? can you guide me through the path? Thank you in advance for your time and information, Franklyn Mendez From fmendez at qualitytech.com Tue Jun 23 11:38:37 2009 From: fmendez at qualitytech.com (Mendez, Franklyn) Date: Tue, 23 Jun 2009 11:38:37 -0400 Subject: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP. In-Reply-To: <4A40F3E6.7090806@scottgrizzard.com> References: <5888FCB767AD5F41A65DC0DCFE91C921102C8B81@EDC-SUW-EXCH.edeltacom.biz> <4A40F3E6.7090806@scottgrizzard.com> Message-ID: <5888FCB767AD5F41A65DC0DCFE91C921102C8C0D@EDC-SUW-EXCH.edeltacom.biz> I came across some articles of people doing it that way. I didn't stop to think about it, but it could work very well. It's just another application into the picture we need to worry about. Also Samba's vulnerability or security is not so good. I will give it a try. Franklyn Mendez -----Original Message----- From: Scott Grizzard [mailto:scott at scottgrizzard.com] Sent: Tuesday, June 23, 2009 11:25 AM To: Mendez, Franklyn Subject: Re: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried using samba3 as an NT4 style domain controller with an ldap backend? It was messy, but I got it to work so the XP workstations authenticate against the SambaPDC, and then used MIT Kerberos on the desktops to authenticate to the KDC. Since both Samba and Kerberos were using the same LDAP database, the user only had one password, and was automatically logged in to the KDC once they signed on to the Windows Domain. - - Scott Grizzard http://www.scottgrizzard.com scott at scottgrizzard.com Mendez, Franklyn wrote: > Hello all, > > > > I am thinking of configuring our Windows XP Prof workstation to > authenticate against our Kerberos servers. I have so far configured them > successfully though the use of ksetup.exe. I have mapped the user * to * > and it works well authorizing these users that have already been created > locally on the workstation. Ksetup can map 1 to 1 user and the use of > the wildcard * for all; obviously ksetup doesn't help me much in terms > of authorization. > > > > My next step is using the Openldap to authorize them and better control > who logs into what workstation and manage group memberships. > > > > In my online searches I found a lot of third parties directory services, > but many cost money. I want to use my existing LDAP setup. > > We currently have Solaris, *nix, AIX and Red Hat Linux server being > authenticated and authorized by our KRB5 and LDAP DBs. > > > > Have anyone done this before? can you guide me through the path? > > > > Thank you in advance for your time and information, > > > > Franklyn Mendez > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpA8+QACgkQARR1QiSWUG6o3wCgqs4OtWj7CMJNFGh4ciJP+oTd 39QAnA4XNDXn2DWd1kVarlHxxdc6tl9S =eIOI -----END PGP SIGNATURE----- From javiplx at gmail.com Tue Jun 23 13:36:20 2009 From: javiplx at gmail.com (Javier Palacios) Date: Tue, 23 Jun 2009 19:36:20 +0200 Subject: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP. In-Reply-To: <5888FCB767AD5F41A65DC0DCFE91C921102C8C0D@EDC-SUW-EXCH.edeltacom.biz> References: <5888FCB767AD5F41A65DC0DCFE91C921102C8B81@EDC-SUW-EXCH.edeltacom.biz> <4A40F3E6.7090806@scottgrizzard.com> <5888FCB767AD5F41A65DC0DCFE91C921102C8C0D@EDC-SUW-EXCH.edeltacom.biz> Message-ID: Hello, Besides samba, you could have a look to pGina. You have for sure ldap authentication + authorization, but I don't remember a mixed kerberos-ldap (I search that about two years ago) There is also a Windows SSP that allowed you to do what you want, and a couple of things you maybe are only thinking on, as create authorized accounts on the fly. I'm not aware of improvements (again since two years), but I did the work more or less nicely (needed to patch to not remove local accounts if something fails). It is at http://sc-ap.sourceforge.net/ I cannot tell you if any of these allow any kind of roaming profile, in case you need it. Javier Palacios From scott at scottgrizzard.com Tue Jun 23 11:26:23 2009 From: scott at scottgrizzard.com (Scott Grizzard) Date: Tue, 23 Jun 2009 11:26:23 -0400 Subject: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP. In-Reply-To: <5888FCB767AD5F41A65DC0DCFE91C921102C8B81@EDC-SUW-EXCH.edeltacom.biz> References: <5888FCB767AD5F41A65DC0DCFE91C921102C8B81@EDC-SUW-EXCH.edeltacom.biz> Message-ID: <4A40F41F.5070304@scottgrizzard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried using samba3 as an NT4 style domain controller with an ldap backend? It was messy, but I got it to work so the XP workstations authenticate against the SambaPDC, and then used MIT Kerberos on the desktops to authenticate to the KDC. Since both Samba and Kerberos were using the same LDAP database, the user only had one password, and was automatically logged in to the KDC once they signed on to the Windows Domain. - - Scott Grizzard http://www.scottgrizzard.com scott at scottgrizzard.com Mendez, Franklyn wrote: > Hello all, > > > > I am thinking of configuring our Windows XP Prof workstation to > authenticate against our Kerberos servers. I have so far configured them > successfully though the use of ksetup.exe. I have mapped the user * to * > and it works well authorizing these users that have already been created > locally on the workstation. Ksetup can map 1 to 1 user and the use of > the wildcard * for all; obviously ksetup doesn't help me much in terms > of authorization. > > > > My next step is using the Openldap to authorize them and better control > who logs into what workstation and manage group memberships. > > > > In my online searches I found a lot of third parties directory services, > but many cost money. I want to use my existing LDAP setup. > > We currently have Solaris, *nix, AIX and Red Hat Linux server being > authenticated and authorized by our KRB5 and LDAP DBs. > > > > Have anyone done this before? can you guide me through the path? > > > > Thank you in advance for your time and information, > > > > Franklyn Mendez > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpA9B4ACgkQARR1QiSWUG6/DwCfXe2Xzc3tLXRq0ACLBAelOMK3 KXYAn2vOc/UjZti2jJbepwNX1XksSlnQ =HEXI -----END PGP SIGNATURE----- From o.flebbe at science-computing.de Wed Jun 24 02:30:25 2009 From: o.flebbe at science-computing.de (Olaf Flebbe) Date: Wed, 24 Jun 2009 08:30:25 +0200 Subject: Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP. In-Reply-To: References: <5888FCB767AD5F41A65DC0DCFE91C921102C8B81@EDC-SUW-EXCH.edeltacom.biz> <4A40F3E6.7090806@scottgrizzard.com> <5888FCB767AD5F41A65DC0DCFE91C921102C8C0D@EDC-SUW-EXCH.edeltacom.biz> Message-ID: <4A41C801.7040404@science-computing.de> Hi, > There is also a Windows SSP that allowed you to do what you want, and > a couple of things you maybe are only thinking on, as create > authorized accounts on the fly. I'm not aware of improvements (again > since two years), but I did the work more or less nicely (needed to > patch to not remove local accounts if something fails). It is at > http://sc-ap.sourceforge.net/ I did the sc-ap thingy. It is "only" a wrapper around the kerberos SSP, creating accounts on the fly before kerberos is doing its work. I would be happy to proceed, if anyone has an idea to improve sc-ap. Please send me patches, I would be happy to include. There is one thing I did not publish until now: I have a patch to extract most of the cleartext password (at least with XP) with sc-ap, since Microsoft only did an easy "encrypting". On the positive side: The knowledge of the algorithm to reconstruct cleartext password would be a huge step in the direction to write MS independant SSP's. > I cannot tell you if any of these allow any kind of roaming profile, > in case you need it. If I remember correctly Roaming profiles are quite difficult, since the corresponding client technology is quite undocumented, AFAIK. If someone has a pointer ... Greetings, Olaf Flebbe -------------- next part -------------- A non-text attachment was scrubbed... Name: o_flebbe.vcf Type: text/x-vcard Size: 389 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090624/115d0c10/o_flebbe.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2329 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090624/115d0c10/smime.bin From Shahezad_Mirkar at bmc.com Wed Jun 24 08:52:29 2009 From: Shahezad_Mirkar at bmc.com (Mirkar, Shahezad) Date: Wed, 24 Jun 2009 18:22:29 +0530 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A2DB9BB@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> <6344D3A1F3677A429F994D643E17F84F145A2DB990@USCIMMBX001.net.plm.eds.com> <6344D3A1F3677A429F994D643E17F84F145A2DB9BB@USCIMMBX001.net.plm.eds.com> Message-ID: -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 6:21 PM To: Mirkar, Shahezad Subject: RE: Issues starting kadmin on suse linux I have corrected it and tested it...It is working like a charm I am able to get on to the kadmin -p Login with the password and able to get on to the kadmin interface I can also get the ticket like kinit -p I will test the applications on this .... Thanks a ton for the knowledge sharing Shahezad. I owe you one ;-) Thanks Vilas -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 6:17 PM To: Tadoori (EXT), Vilas Subject: RE: Issues starting kadmin on suse linux Did u correct the krb5.conf? one more suspect is that it could be problem with /etc/hosts mapping : e.g. ======================old /etc/hosts =========================== 127.0.0.1 mykdc.krb.com localhost.localdomain localhost mykdc Then correct it to ======================new /etc/hosts =========================== 10.195.3.99 mykdc.krb.com 127.0.0.1 localhost.localdomain localhost mykdc -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 5:27 PM To: Mirkar, Shahezad; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Here is my kdc.conf -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:24 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Also need kdc.conf output -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 5:13 PM To: Mirkar, Shahezad; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Please find the attached krb5.conf file Thanks Vilas -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:06 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Can u send us krb5.conf file details? Would be help us to debug the issue -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tadoori (EXT), Vilas Sent: Tuesday, May 26, 2009 5:01 PM To: Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 5:27 PM To: Mirkar, Shahezad; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Here is my kdc.conf -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:24 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Also need kdc.conf output -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 5:13 PM To: Mirkar, Shahezad; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Please find the attached krb5.conf file Thanks Vilas -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:06 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Can u send us krb5.conf file details? Would be help us to debug the issue -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tadoori (EXT), Vilas Sent: Tuesday, May 26, 2009 5:01 PM To: Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos