Problem authenticating with W2K AD...

Mike Haney haneym at rcc.on.ca
Thu Nov 6 13:40:40 EST 2003 

I've been searching the internet for about a week now and trying to
set up a FreeBSD r4.9 server to authenticate against W2K AD (SP4), but
can't quite get it going.  I'm hoping someone can shed some light on
the topic for me as I think I am missing a few small details...

I've followed the document on Microsoft's website
(http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
and a few other websites, and have done the following:

1) Compiled pam_krb5 for heimdal from the ports collection (this gave
me some troubles with the krb5.18 dependancy, changed to krb5.19 and
it went ok).
2) Set an /etc/pam.conf to use kerberos first with sshd logins:
  "sshd auth sufficient pam_krb5.so try_first_pass"
3) Set up my /etc/krb5.conf as follows:
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
[libdefaults]
    ticket_lifetime = 24000
    default_realm = SPONGEBOB.SP
    default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
    dns_lookup_realm = false
    dns_lookup_kdc = false
[realms]
    SPONGEBOB.SP = {
        kdc = haney-srv.spongebob.sp
        admin_server = haney-srv.spongebob.sp
        default_domain = spongebob.sp
    }
[domain_realm]
    .spongebob.sp = SPONGEBOB.SP
[appdefaults]
    pam = {
        debug = true
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
    }

4) Manually synchronized the clocks on the FreeBSD & W2k machines
5) Created a new account in AD for testing Kerberos logins (all
defaults, simple password).
6) Successfully tested the new account and krb5.conf configuration by
running kinit /klist/kdestroy (saw new ticket created and destroyed
with klist).
7) Installed the W2k support tools to get the ksetup & kpass
utilities.
8) Used ktpass to generate a keytab for the FreeBSD machine, using
this syntax:
 Ktpass –princ myserver at SPONGEBOB.SP –mapuser testkrb -pass password
–out myserver.keytab
 ** myserver is the hostname of my FreeBSD machine, testkrb is the AD
username
9) Transferred the myserver.keytab to the FreeBSD machine, and placed
it in /etc/krb5.keytab
10) Modified /etc/auth.conf so that auth_list has kerberos listed
first (then passwd)

Whenever I try to log in using SSH (remotely or from the FreeBSD
machine directly) the login prompt comes up with "Password for
testkrb at SPONGEBOB.SP", but will not accept the kerberos password.  I
have also tried creating a local user account in FreeBSD with a
different password, and can log in using that with no troubles.

I have checked entries in /etc/auth.log and found:
Nov  6 12:53:41 myserver sshd[51684]: (pam_krb5) pam_sm_authenticate:
result for user `testkrb': Please ignore underlying account module
Nov  6 12:53:41 myserver sshd[51680]: error: PAM: Authentication
failure

With kerberos logging enabled in the W2k server (by registry key
indicated in Q262177), I see nothing logged, not even when using
kinit/klist/kdestroy, is that normal?

Any help/tips are appreciated, thanks in advance!

Mike

More information about the Kerberos mailing list