having difficulty setting up a linux client with Win2k KDC
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Mon Oct 27 10:42:09 EST 2003
Hi,
I suspect your telnet and ftp client is trying to obtain a service ticket for a principal called host/localhost at REALM so try using :
# ftp afs-test.myrealm.com
Instead of :
# ftp localhost
Thanks, Tim.
-----Original Message-----
From: Mehta, Rohit [mailto:rohitm at engr.uconn.edu]
Sent: 27 October 2003 14:38
To: kerberos at mit.edu
Subject: having difficulty setting up a linux client with Win2k KDC
Hi guys, I am fairly new to kerberos and I would like to set up Linux clients to use a Win2k KDC. We have an active directory, and I have a Debian (Woody) system with the following packages installed:
afs-test:/home/ro# dpkg -l |grep krb5
ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master server (kadmind)
ii krb5-clients 1.2.4-5woody4 Secure replacements for ftp, telnet and rsh
ii krb5-config 1.4 Configuration files for Kerberos Version 5
ii krb5-doc 1.2.4-5woody4 Documentation for krb5
ii krb5-ftpd 1.2.4-5woody4 Secure FTP server supporting MIT Kerberos
ii krb5-kdc 1.2.4-5woody4 Mit Kerberos key server (KDC)
ii krb5-rsh-serve 1.2.4-5woody4 Secure replacements for rshd and rlogind us
ii krb5-telnetd 1.2.4-5woody4 Secure telnet server supporting MIT Kerberos
ii krb5-user 1.2.4-5woody4 Basic programs to authenticate using MIT Ker
ii libkrb5-dev 1.2.4-5woody4 Headers and development libraries for MIT Ke
ii libkrb53 1.2.4-5woody4 MIT Kerberos runtime libraries
ii libpam-krb5 1.0-7 PAM module for MIT Kerberos
ii openafs-krb5 1.3-8 The AFS distributed filesystem- Kerberos 5 I
ii ssh-krb5 3.4p1-0woody4 Secure rlogin/rsh/rcp replacement (OpenSSH w
kinit and kpasswd actually work, but telnet and ftp do not.
This is what my krb5.conf looks like:
[libdefaults]
default_realm = MYREALM.COM
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-crc
[realms]
MYREALM.COM = {
kdc = myactivedirectorycontroller.myrealm.com
admin_server = myactivedirectorycontroller.myrealm.com
}
[domain_realm]
myrealm.com = MYREALM.COM
I created a keytab for afstest.myrealm.com on the DC and installed it on this client in /etc/krb5.keytab. it looks something like this:
afs-test:/home/ro# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/afs-test.myrealm.com at MYREALM.COM
So hopefully I did all of that stuff correctly, back to the problem. When I do kinit user at MYREALM.COM and authenticate successfully, it works.
However after that, if I do telnet localhost or ftp localhost, I cannot authenticate. This can be seen:
telnet 1
---------
afs-test:/home/ro# telnet localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
telnetd: No authentication provided.
Connection closed by foreign host.
telnet try2
------------
afs-test:/home/ro# telnet -xF localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Authentication negotation has failed, which is required for encryption. Good bye.
ftp try 1
---------
afs-test:/home/ro# ftp localhost
Connected to localhost.
220 afs-test.myrealm.com FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: Server not found in Kerberos database GSSAPI error: initializing context GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Name (localhost:ro):
Please let me know if you would like more information. I would be very grateful for any assistance at all in this matter.
Thanks,
Rohit Kumar Mehta
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list