heimdal problems

Rob Frohwein rob at frohwein.xs4all.nl
Sun Apr 7 05:51:22 EDT 2002 

Hi ,

I am trying to get heimdal kerbereros5 running on freeBSD4.5.
The KDC seems to function , I can obtain a ticket from the kdc.

But the application clients and services like login/logind and
telnet/telnetd and pam doesnt seem to function after the heimdal install.
Has anyone had any success with using heimdal on freeBSD.
I cant get the 'official' MIT version because of US export limitations.

I am using freeBSD STABLE 4.5

There are 3 machines K(dc) S(erver) end C(lient).
In fact K and S are the same machine.

To install kerberos I did:
1 make -DMAKE_KERBEROS5 buildworld  (is this necessary ??)
2 make & install heimdal (/usr/ports/security/heimdal)

3 On all machines added /etc/krb5.conf
-----------------------------------
[libdefaults]
         default_realm = RFKERB
         clockskew = 300

[realms]
         RFKERB = {
                 kdc = vhfbsd45-3.frohwein.xs4all.nl.
         }
[domain_realm]
         frohwein.xs4all.nl = RFKERB
-----------------------------------
(vhfbsd45-3 is the name of Kdc/Server)

4 On K:
k5admin -l
kadmin> init RFKERB
kadmin> add myself
	...
kadmin> add --random-key host/vhfbsd45-3.frohwein.xs4all.nl.
kadmin> ext host/vhfbsd45-3.frohwein.xs4all.nl.

So i added some users + a keytab file for Server role.

6 On S (==K):
/etc/pam.conf
klogin auth required pam_krb5.so try_first_pass
And commented out the other login lines

7 On S (==K):
/etc/inetd.conf
klogin  stream tcp  nowait root /usr/libexec/rlogind  rlogind -k

8 From C
rlogin -k RFKERB -l user1 vhfbsd45-3
rlogin: illegal option -- k
This rlogin does not comply to the man page.
So what has heimdal installed?

When i just do:
rlogin -l user1 vhfbsd45-3
I see that (ethereal) that a  standard (port 513) rlogin request attempt
is made.

9 Telnet
In the manpage about telnetd i see no options for kerberos.
I tried:
pam.conf:
telnetd auth required pam_krb5.so try_first_pass
inetd.conf normal

Result:
telnet -l user1 vhfbsd45-3
A normal SRA login is the result, no kerberos involved.

So i think something is wrong with the heimdal install for
the applications like telnet and login.

10
I go to
/usr/ports/security/heimdal/work/heimdal-0.4e/appl/telnet
And use the telnet client there.
When i do a login attempt i see on K in the logging:
Apr  7 02:43:59 vhfbsd45-3 login: no modules loaded for `login' service
Apr  7 02:43:59 vhfbsd45-3 login: pam_open_session: Permission denied



Because I can acquire a tgt on C and indeed with k5list I can see the
ticket, I think only the installation of the kdc is ok , the rest fails.



thanks for some advice.


Rob Frohwein

More information about the Kerberos mailing list