having difficulty setting up a linux client with Win2k KDC
Mehta, Rohit
rohitm at engr.uconn.edu
Mon Oct 27 11:48:10 EST 2003
Thanks guys, I have it working now. It looks like I was doing a couple things wrong.
1. I needed to add a domain_realm line somethign to effect of
.myrealm.com=MYREALM.COM (lord knows why)
2. ssh localhost did not work, but ssh afs-test or afs-test.myrealm.com did work.
3. my telnetd options in /etc/inetd.conf were a little screwey.
-----Original Message-----
From: Peter J. Bertoncini <pjb at anl.gov>
[mailto:b15013 at achilles.ctd.anl.gov]
Sent: Monday, October 27, 2003 11:16 AM
To: kerberos at mit.edu; Mehta, Rohit
Subject: Re: having difficulty setting up a linux client with Win2k KDC
Try using:
telnet -xF afs-test
and:
ftp -x afs-test
I assume you have Kerberized telnetd and ftpd properly configured in the
/etc/inetd.conf, /etc/xinetd.d or whatever mechanism Debian uses to manage
daemon services.
I suggest you configure the daemons to only allow access via an encrypted
session.
-------------------
>content-class: urn:content-classes:message
>MIME-Version: 1.0
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Date: Mon, 27 Oct 2003 09:38:16 -0500
>Thread-Topic: having difficulty setting up a linux client with Win2k KDC
>Thread-Index: AcOcl/VnLasikkuTRqafvbCrpdrq8g==
>From: "Mehta, Rohit" <rohitm at engr.uconn.edu>
>To: <kerberos at mit.edu>
>Content-Transfer-Encoding: 8bit
>X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id
h9REcTqb008455
>Subject: having difficulty setting up a linux client with Win2k KDC
>X-BeenThere: kerberos at mit.edu
>X-Mailman-Version: 2.1
>List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
>List-Help: <mailto:kerberos-request at mit.edu?subject=help>
>List-Post: <mailto:kerberos at mit.edu>
>List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
>List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
>List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
>X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
frigga.ctd.anl.gov
>X-Spam-Status: No, hits=0.0 required=5.7 tests=none autolearn=no version=2.60
>
>
>Hi guys, I am fairly new to kerberos and I would like to set up Linux clients
>to use a Win2k KDC. We have an active directory, and I have a Debian (Woody)
>system with the following packages installed:
>
>afs-test:/home/ro# dpkg -l |grep krb5
>ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master server (kadmind)
>ii krb5-clients 1.2.4-5woody4 Secure replacements for ftp, telnet and rsh
>ii krb5-config 1.4 Configuration files for Kerberos Version 5
>ii krb5-doc 1.2.4-5woody4 Documentation for krb5
>ii krb5-ftpd 1.2.4-5woody4 Secure FTP server supporting MIT Kerberos
>ii krb5-kdc 1.2.4-5woody4 Mit Kerberos key server (KDC)
>ii krb5-rsh-serve 1.2.4-5woody4 Secure replacements for rshd and rlogind us
>ii krb5-telnetd 1.2.4-5woody4 Secure telnet server supporting MIT Kerberos
>ii krb5-user 1.2.4-5woody4 Basic programs to authenticate using MIT Ker
>ii libkrb5-dev 1.2.4-5woody4 Headers and development libraries for MIT Ke
>ii libkrb53 1.2.4-5woody4 MIT Kerberos runtime libraries
>ii libpam-krb5 1.0-7 PAM module for MIT Kerberos
>ii openafs-krb5 1.3-8 The AFS distributed filesystem- Kerberos 5 I
>ii ssh-krb5 3.4p1-0woody4 Secure rlogin/rsh/rcp replacement (OpenSSH w
>
>
>
>kinit and kpasswd actually work, but telnet and ftp do not.
>This is what my krb5.conf looks like:
>
>[libdefaults]
> default_realm = MYREALM.COM
>
> default_tgs_enctypes = des-cbc-md5
> default_tkt_enctypes = des-cbc-md5
> permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-crc
>
>[realms]
>MYREALM.COM = {
> kdc = myactivedirectorycontroller.myrealm.com
> admin_server = myactivedirectorycontroller.myrealm.com
>}
>
>[domain_realm]
> myrealm.com = MYREALM.COM
>
>
>
>
>I created a keytab for afstest.myrealm.com on the DC and installed it on this
client in /etc/krb5.keytab. it looks something like this:
>
>afs-test:/home/ro# klist -k
>Keytab name: FILE:/etc/krb5.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
> 1 host/afs-test.myrealm.com at MYREALM.COM
>
>
>
>
>So hopefully I did all of that stuff correctly, back to the problem. When I do
kinit user at MYREALM.COM and authenticate successfully, it works.
>However after that, if I do telnet localhost or ftp localhost, I cannot
authenticate. This can be seen:
>
>telnet 1
>---------
>afs-test:/home/ro# telnet localhost
>Trying 127.0.0.1...
>Connected to localhost (127.0.0.1).
>Escape character is '^]'.
>telnetd: No authentication provided.
>Connection closed by foreign host.
>
>telnet try2
>------------
>afs-test:/home/ro# telnet -xF localhost
>Trying 127.0.0.1...
>Connected to localhost (127.0.0.1).
>Escape character is '^]'.
>Waiting for encryption to be negotiated...
>
>Authentication negotation has failed, which is required for
>encryption. Good bye.
>
>ftp try 1
>---------
>afs-test:/home/ro# ftp localhost
>Connected to localhost.
>220 afs-test.myrealm.com FTP server (Version 5.60) ready.
>334 Using authentication type GSSAPI; ADAT must follow
>GSSAPI accepted as authentication type
>GSSAPI error major: Miscellaneous failure
>GSSAPI error minor: Server not found in Kerberos database
>GSSAPI error: initializing context
>GSSAPI authentication failed
>334 Using authentication type KERBEROS_V4; ADAT must follow
>KERBEROS_V4 accepted as authentication type
>Kerberos V4 krb_mk_req failed: You have no tickets cached
>Name (localhost:ro):
>
>
>
>Please let me know if you would like more information. I would be very grateful
for any assistance at all in this matter.
>
>Thanks,
>
>Rohit Kumar Mehta
>
>________________________________________________
>Kerberos mailing list Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list