Problem authenticating with W2K AD...

Rohit Kumar Mehta rohitm at engr.uconn.edu
Mon Dec 15 14:49:37 EST 2003 

do kinit and kpasswd work?

Mike Haney wrote:

>I've been searching the internet for about a week now and trying to
>set up a FreeBSD r4.9 server to authenticate against W2K AD (SP4), but
>can't quite get it going.  I'm hoping someone can shed some light on
>the topic for me as I think I am missing a few small details...
>
>I've followed the document on Microsoft's website
>(http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
>and a few other websites, and have done the following:
>
>1) Compiled pam_krb5 for heimdal from the ports collection (this gave
>me some troubles with the krb5.18 dependancy, changed to krb5.19 and
>it went ok).
>2) Set an /etc/pam.conf to use kerberos first with sshd logins:
>  "sshd auth sufficient pam_krb5.so try_first_pass"
>3) Set up my /etc/krb5.conf as follows:
>[logging]
>    default = FILE:/var/log/krb5libs.log
>    kdc = FILE:/var/log/krb5kdc.log
>    admin_server = FILE:/var/log/kadmind.log
>[libdefaults]
>    ticket_lifetime = 24000
>    default_realm = SPONGEBOB.SP
>    default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
>    default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
>    dns_lookup_realm = false
>    dns_lookup_kdc = false
>[realms]
>    SPONGEBOB.SP = {
>        kdc = haney-srv.spongebob.sp
>        admin_server = haney-srv.spongebob.sp
>        default_domain = spongebob.sp
>    }
>[domain_realm]
>    .spongebob.sp = SPONGEBOB.SP
>[appdefaults]
>    pam = {
>        debug = true
>        ticket_lifetime = 36000
>        renew_lifetime = 36000
>        forwardable = true
>        krb4_convert = false
>    }
>
>4) Manually synchronized the clocks on the FreeBSD & W2k machines
>5) Created a new account in AD for testing Kerberos logins (all
>defaults, simple password).
>6) Successfully tested the new account and krb5.conf configuration by
>running kinit /klist/kdestroy (saw new ticket created and destroyed
>with klist).
>7) Installed the W2k support tools to get the ksetup & kpass
>utilities.
>8) Used ktpass to generate a keytab for the FreeBSD machine, using
>this syntax:
> Ktpass -princ myserver at SPONGEBOB.SP -mapuser testkrb -pass password
>-out myserver.keytab
> ** myserver is the hostname of my FreeBSD machine, testkrb is the AD
>username
>9) Transferred the myserver.keytab to the FreeBSD machine, and placed
>it in /etc/krb5.keytab
>10) Modified /etc/auth.conf so that auth_list has kerberos listed
>first (then passwd)
>
>Whenever I try to log in using SSH (remotely or from the FreeBSD
>machine directly) the login prompt comes up with "Password for
>testkrb at SPONGEBOB.SP", but will not accept the kerberos password.  I
>have also tried creating a local user account in FreeBSD with a
>different password, and can log in using that with no troubles.
>
>I have checked entries in /etc/auth.log and found:
>Nov  6 12:53:41 myserver sshd[51684]: (pam_krb5) pam_sm_authenticate:
>result for user `testkrb': Please ignore underlying account module
>Nov  6 12:53:41 myserver sshd[51680]: error: PAM: Authentication
>failure
>
>With kerberos logging enabled in the W2k server (by registry key
>indicated in Q262177), I see nothing logged, not even when using
>kinit/klist/kdestroy, is that normal?
>
>Any help/tips are appreciated, thanks in advance!
>
>Mike
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>

More information about the Kerberos mailing list