Impossible kerberos autentication on AIX

Sensei noone at nowhere.org
Wed Feb 25 07:18:43 EST 2004


Hi. Sorry for the cross-post but it involves all the two fields.

We abandoned the idea of making aix the authentication server and we 
built a linux kerberos server, with MIT kerberos V5.

Our realm is MYREALM, the linux client is ``linux'' and the aix client 
is ``aix''. We use no preauthorization. Let's use a kerberos login for 
the user/principal ``james''.

 From a linux client, we can use pam and kerberos and login directly 
from the console.
 From aix (5.2) we can *only* do a kinit principal, but the login does 
not work. We followed the aix handbooks, so nothing (I hope) can be 
wrong (mkkrb5clnt -c -r ... --- same values as we've used on the linux 
client --- chauthent -k5).

I sniffed the packets on the network and I found this different behaviour:

Linux client login:

1. AS-REQ   Client
             name:james type:Principal name:james
             server:krbtgt type:unknown name krbtgt name:MYREALM
             start time:<date is ok> end time:<date is ok>
             Addresses
             type:ipv4 value:linux ip number

2. AS-REP   perauth:unknown preauth
             ticket version:5 realm:MYREALM
             service name:krbtgt type:unknown name:krbtgt name:MYREALM
             (ticket data)

3. TGS-REQ  preauth:PA-TGS-REQ value:blahblahblah
             Request
             option:000000000 realm:MYREALM
             Server
             name:host type:Service and Host name:host name:linux
             end time:<date is ok>

4. TGS-REP  (ticket data) (encrypted payload)


As far as I can understand, first there's an authentication and an 
initial ticket, once username/passwords are granted, the client asks for 
the real ticket using the client host name and the server sends the ticket.

On AIX we have a really different thing:

1. AS-REQ   Client
             name:host type:Principal name:host name:aix
             realm:MYREALM
             Server
             name:kadmin type:Principal name:kadmin name:admin
             end time:1970-01-01 00:00:00

2. KRB-ERROR
             ctime:<date is ok> stime:<date is ok>
             susec:644378
             error code:KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
             crealm:MYREALM
             cname:host type:Principal name:host name:aix
             realm:MYREALM
             sname:kadmin type:Principal name:kadmin name:admin
             etext:CLIENT_NOT_FOUND

First of all, dates are ok and sinchronized with the same time server. 
Sencond, all the principals are correclty set. Third, we exported the 
needed keytabs. Last, we controlled the aix fixpacks and we have the 
latest fixes...

Please help me, I can't figure out what happens here... and we need a 
working aix!!!
-- 
Sensei <senseiwa:tin.it> <icq:241572242> <msn:Sensei_Sen:hotmail.com>

f u cn rd ths u r usng unx



More information about the Kerberos mailing list