kerberos help
Chan Vu
kerberos_seam99 at yahoo.com
Thu Dec 19 04:28:41 EST 2002
All,
I having Unix box (vdas.ba.com) and an Windows 2000 Active Directory Domain (ba1ghedc001.db1.ad.ba.com) as below:
vdas.bp.com (local server) > Unix box
ba1ghedc001.db1.ad.ba.com (Active Directory user domain)
I have been tried to install SEAM 1.0 on Unix box (vdas.bp.com) with configuration file as below:
1. # cat krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = BA.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
BA.COM = {
kdc = vdas.ba.com
kdc = ba1ghedc001.db1.ad.ba.com
admin_server = vdas.ba.com
default_domain = ba.com
}
[domain_realm]
.ba.com = BA.COM
ba.com = BA.COM
.ba.com = VDAS.BA.COM
ba.com = VDAS.BA.COM
[kdc]
profile = /etc/krb5/kdc.conf
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
gkadmin = {
help_url = http://vdas:7001
}
2. cat kdc.conf
#
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kdc.conf 1.2 98/08/17 SMI"
[kdcdefaults]
kdc_ports = 88, 750
[realms]
BA.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_database_name = /var/krb5/principal.kadm5
admin_database_lockfile = /var/krb5/principal.kadm5.lock
admin_keytab = /etc/krb5/kadm5.keytab
dict_file = /etc/krb5/kadm5.dict
acl_file = /etc/krb5/kadm5.acl
key_stash_file = /var/krb5/.k5.BA.COM
kadmind_port = 749
# kadmind_port = 139
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal
}
3. cat kadm5.acl
#
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kadm5.acl 1.3 98/08/19 SMI"
vdas/admin at BA.COM *
vdas/vdas.ba.com at BA.COM *
kws/admin at BA.COM *
kws/vdas.ba.com at BA.COM *
kadmin/admin at BA.COM *
kadmin/vdas.ba.com at BA.COM *
changepw/admin at BA.COM *
changepw/vdas.ba.com at BA.COM *
krbtgt/admin at BP.COM *
krbtgt/vdas.ba.com at BA.COM *
root/admin at BA.COM *
root/vdas.ba.com at BA.COM *
telnet/admin at BA.COM *
telnet/vdas.ba.com at BA.COM *
host/admin at BA.COM *
host/vdas.ba.com at BA.COM *
4. cat kpropd.acl
vdas/vdas.ba.com at BA.COM
vdas/ba1hcmdc001.db1.ad.ba.com at BA.COM
5. cat /etc/services
#ident "@(#)services 1.20 98/07/08 SMI" /* SVr4.0 1.8 */
#
# Network services, Internet style
#
tcpmux 1/tcp
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
name 42/udp nameserver
whois 43/tcp nicname # usually to sri-nic
domain 53/udp
domain 53/tcp
bootps 67/udp # BOOTP/DHCP server
bootpc 68/udp # BOOTP/DHCP client
hostnames 101/tcp hostname # usually to sri-nic
pop2 109/tcp pop-2 # Post Office Protocol - V2
pop3 110/tcp # Post Office Protocol - Version 3
sunrpc 111/udp rpcbind
sunrpc 111/tcp rpcbind
imap 143/tcp imap2 # Internet Mail Access Protocol v2
#
# Host specific functions
#
tftp 69/udp
rje 77/tcp
finger 79/tcp
link 87/tcp ttylink
supdup 95/tcp
iso-tsap 102/tcp
x400 103/tcp # ISO Mail
x400-snd 104/tcp
csnet-ns 105/tcp
pop-2 109/tcp # Post Office
uucp-path 117/tcp
nntp 119/tcp usenet # Network News Transfer
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
NeWS 144/tcp news # Window System
cvc_hostd 442/tcp # Network Console
#
# UNIX specific services
#
# these are NOT officially assigned
#
exec 512/tcp
login 513/tcp
shell 514/tcp cmd # no passwords used
printer 515/tcp spooler # line printer spooler
courier 530/tcp rpc # experimental
uucp 540/tcp uucpd # uucp daemon
biff 512/udp comsat
who 513/udp whod
syslog 514/udp
talk 517/udp
route 520/udp router routed
new-rwho 550/udp new-who # experimental
rmonitor 560/udp rmonitord # experimental
monitor 561/udp # experimental
pcserver 600/tcp # ECD Integrated PC board srvr
ufsd 1008/tcp ufsd # UFS-aware server
ufsd 1008/udp ufsd
cvc 1495/tcp # Network Console
ingreslock 1524/tcp
www-ldap-gw 1760/tcp # HTTP to LDAP gateway
www-ldap-gw 1760/udp # HTTP to LDAP gateway
listen 2766/tcp # System V listener port
nfsd 2049/udp nfs # NFS server daemon (clts)
nfsd 2049/tcp nfs # NFS server daemon (cots)
lockd 4045/udp # NFS lock daemon/manager
lockd 4045/tcp
dtspc 6112/tcp # CDE subprocess control
fs 7100/tcp # Font server
# Documetum services
vn_prod 1500/tcp # US_VN_PROD docbase
vn_eng 1502/tcp # US_VN_ENGR docbase
vn_train 1501/tcp #US_VN_TRAIN
dmdocbroker 1489/tcp # Documentum
vn_db 1503/tcp # US_VN_Db docbase
#SAMBA
#swat 901/tcp # Samba configuration tool
#netbios-ssn 139/tcp # Samba
#netbios-ns 137/udp # Samba
#kerberos_SEAM
kshell 544/tcp cmd # remote shell
#kerberos-adm 749/tcp kerbero # Kerberos V5 Administration
kerberos-adm 139/tcp kerberos # Kerberos V5 Administration
#kerberos-adm 749/udp kerberos # Kerberos V5 Administration
#kerberos 88/udp kdc # Kerberos key server
kerberos 88/tcp kdc # Kerberos key server
krb5_prop 754/tcp # Kerberos V5 KDC propogation
eklogin 2105/tcp # Kerberos V5 authentication & encrypt
kshell 544/tcp # remote shell Kerberos V5 KDC propogation
klogin 543/tcp # Kerberos authenticate KDC propogation
telnet 23/tcp # default port Kerberos authenticate KDC propogation
6. cat /etc/pam.conf
#ident "@(#)pam.conf 1.19 95/11/30 SMI"
#
# PAM configuration
#
# Authentication management
#
login auth required /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_dial_auth.so.1
#
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1
#
dtlogin auth required /usr/lib/security/pam_unix.so.1
#
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth required /usr/lib/security/pam_unix.so.1
#
# Account management
#
login account required /usr/lib/security/pam_unix.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
#
other account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
other password required /usr/lib/security/pam_unix.so.1
#
dtsession auth required /usr/lib/security/pam_unix.so.1
dtsession auth required /usr/lib/security/pam_unix.so.1
rlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
login auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
dtsession auth required /usr/lib/security/pam_unix.so.1
krlogin auth required /usr/lib/security/pam_krb5.so.1 acceptor
ktelnet auth required /usr/lib/security/pam_krb5.so.1 acceptor
krsh auth required /usr/lib/security/pam_krb5.so.1 acceptor
other auth optional /usr/lib/security/pam_krb5.so.1 try_first_pass
dtlogin account optional /usr/lib/security/pam_krb5.so.1
other account optional /usr/lib/security/pam_krb5.so.1
other session optional /usr/lib/security/pam_krb5.so.1
other password optional /usr/lib/security/pam_krb5.so.1 try_first_pass
7. cat inetd.conf
#
#ident "@(#)inetd.conf 1.33 98/06/02 SMI" /* SVr4.0 1.5 */
#
#
# Configuration file for inetd(1M). See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# Ftp and telnet are standard Internet services.
#
# SUNWkr5sv # ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
# SUNWkr5sv # telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
talk dgram udp wait root /usr/sbin/in.talkd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
time stream tcp nowait root internal
time dgram udp wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp nowait root internal
echo dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
#
#
# RPC services syntax:
# <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \
# <pathname> <args>
#
# <endpoint-type> can be either "tli" or "stream" or "dgram".
# For "stream" and "dgram" assume that the endpoint is a socket descriptor.
# <proto> can be either a nettype or a netid or a "*". The value is
# first treated as a nettype. If it is not a valid nettype then it is
# treated as a netid. The "*" is a short-hand way of saying all the
# transports supported by this system, ie. it equates to the "visible"
# nettype. The syntax for <proto> is:
# *|<nettype|netid>|<nettype|netid>{[,<nettype|netid>]}
# For example:
# dummy/1 tli rpc/circuit_v,udp wait root /tmp/test_svc test_svc
#
# Solstice system and network administration class agent server
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
#
# Rquotad supports UFS disk quotas for NFS clients
#
rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
#
# The rusers service gives out user information. Sites concerned
# with security may choose to disable it.
#
rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
#
# The spray server is used primarily for testing.
#
sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd
#
# The rwall server allows others to post messages to users on this machine.
#
walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
#
rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not run
#
#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
#
# UFS-aware service daemon
#
#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd -p
#
# Sun KCMS Profile Server
#
100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
#
# Sun Font Server
#
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
#
# CacheFS Daemon
#
100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd
#
# Kerbd Daemon
#
#kerbd/4 tli rpc/ticlts wait root /usr/sbin/kerbd kerbd
#
# Print Protocol Adaptor - BSD listener
#
printer stream tcp nowait root /usr/lib/print/in.lpd in.lpd
#
# GSS Daemon
#
100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon dr_daemon
#Samba
#swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat
100134/1 tli rpc/ticotsord wait root /usr/krb5/lib/ktkt_warnd kwarnd
klogin stream tcp nowait root /usr/krb5/lib/rlogind rlogind -k
eklogin stream tcp nowait root /usr/krb5/lib/rlogind rlogind -k -e
telnet stream tcp nowait root /usr/krb5/lib/telnetd telnetd
ftp stream tcp nowait root /usr/krb5/lib/ftpd ftpd
kshell stream tcp nowait root /usr/krb5/lib/rshd rshd -k -c -A
krb5_prop stream tcp nowait root /usr/krb5/lib/kpropd kpropd
8. cat resolv.conf
nameserver 161.101.141.48
domain ba.com
search ba.com ba1.ad.ba.com
9. I installed NTP server on vdas.ba.com.
STATUS result:
I can change password of user in the unix environment (vdas.ba.com) . But I can not login to kerberos server(vdas.ba.com) from a Windows 2000 desktop client.
When I use: #su -
>> the kerberos do not asked kerberos password
----------------------
If I use: #su - vdas
password:
PAM-KRB5: Kerberos V5 authentication failed Client not found in Kerberos database
PAM-KRB5: Enter Kerberos V5 password:
PAM-KRB5: Kerberos V5 authentication failed Client not found in Kerberos database
Sun Microsystems Inc. SunOS 5.7 Generic October 1998
You have new mail.
vdas%
-------------------
vdas# cd /usr/krb5/bin
vdas# ls
ftp kdestroy kinit klist kpasswd ktutil rcp rlogin rsh telnet
vdas# klist
Ticket cache: /tmp/krb5cc_0
Default principal: root/vdas.bp.com at BP.COM
Valid starting Expires Service principal
19 Dec 02 11:52:30 19 Dec 02 12:02:30 krbtgt/BP.COM at BP.COM
renew until 20 Dec 02 11:52:30
vdas# telnet root/vdas.bp.com at BP.COM
root/vdas.bp.com at BP.COM: Unknown host
vdas# klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
------------------------------------------------------------
3 bp1ghedc001/vdas.bp.com at BP.COM
3 vdas/vdas.bp.com at BP.COM
3 bp1hcmdc001/vdas.bp.com at BP.COM
4 host/vdas.bp.com at BP.COM
3 telnet/vdas.bp.com at BP.COM
3 ftp/vdas.bp.com at BP.COM
vdas# kinit vdas/vdas.bp.com at BP.COM
Password for vdas/vdas.bp.com at BP.COM:
vdas#
10. On Windows 2000 active directory, I do not install kerberos for Windows either NTP
>>>>>>>>>>>>>>>>>>>>>
Does anyone check for me if there are existing errors or some more steps I'm needed?
Regards,
CHAN VM
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/kerberos/attachments/20021219/1c88c8a1/attachment.htm
More information about the Kerberos
mailing list