KRB5 <-> KRB4 - kinit password incorrect
Frederik Meerwaldt
frederik at cray-cyber.org
Thu Oct 9 05:10:20 EDT 2003
Dear group,
I am currently trying to incorporate Kerberos authentication on our
Cray-Cyber (http://www.cray-cyber.org) machines, but unfortunately I
have some problems.
Setup:
Kerberos server:
- Debian GNU/Linux 3.0
- MIT Kerberos 5 1.3.1 (current distribution - compiled from source)
- The config-files are to be found at the bottom of this mail
Kerberos Client:
- Cray Y-MP EL running UNICOS 9.0.2.2
- Kerberos IV client shipped with Unicos
- Config-files to be found at the bottom of this mail.
The following processes are running on the server:
- krb5kdc -4 full
- kadmind
- krb524d -m
When I want to obtain a Kerberos-Ticket on the Cray using kinit I
get the following message:
[frederik at yel frederik]$ kinit
Cray Research Kerberos Project (yel.cray-cyber.org)
Kerberos Initialization
Kerberos name: frederik
kinit: Password incorrect
OK - it seems to find me on the Kerberos server, but I'm not even
prompted for my password.
In /var/log/krb5kdc.log on the server, the relevant lines read:
Oct 09 11:00:51 server krb5kdc[24221](info): PROCESS_V4:Initial ticket
request Host: 192.168.4.20 User: "frederik" ""
But no problems are reported there.
On the server I have no problems obtaining a ticket:
[frederik at server frederik]$ kinit -4
Password for frederik at CRAY-CYBER.ORG:
[frederik at server frederik]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1001)
Kerberos 4 ticket cache: /tmp/tkt1001
Principal: frederik at CRAY-CYBER.ORG
Issued Expires Principal
10/09/03 11:02:41 10/09/03 21:02:41 krbtgt.CRAY-CYBER.ORG at CRAY-CYBER.ORG
The log file on the server after obtaining a ticket read exactly the
same line (not more, not less) than when obtaining a ticket from the Cray.
What am I doing wrong here?
I should be able to obtain a ticket on the Cray, shouldn't I??
In which way are the realms case sensitive?
Or may I only obtain a ticket on the kdc?
Thanks a lot for your help,
Freddy
Here are the configuration files:
/etc/krb5.conf from the server:
[libdefaults]
default_realm = CRAY-CYBER.ORG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
[realms]
CRAY-CYBER.ORG = {
kdc = server.cray-cyber.org
admin_server = server.cray-cyber.org
default_domain = cray-cyber.org
}
[domain_realm]
.cray-cyber.org = CRAY-CYBER.ORG
cray-cyber.org = CRAY-CYBER.ORG
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/krb.conf on the server:
CRAY-CYBER.ORG
CRAY-CYBER.ORG server
CRAY-CYBER.ORG server.cray-cyber.org admin server
/etc/krb.realms on the server:
.cray-cyber.org CRAY-CYBER.ORG
cray-cyber.org CRAY-CYBER.ORG
/usr/local/var/krb5kdc/kdc.conf on the server:
[kdcdefaults]
kdc_ports = 750,88
[realms]
CRAY-CYBER.ORG = {
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.CRAY-CYBER.ORG
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
/etc/krb.conf on the Cray:
CRAY-CYBER.ORG
CRAY-CYBER.ORG server
CRAY-CYBER.ORG server admin server
/etc/krb.realms on the Cray:
.CRAY-CYBER.ORG CRAY-CYBER.ORG
More information about the Kerberos
mailing list