service principals in AD fro unix kerberos clients

Doug Lamoureux douglamoureux at yahoo.com
Thu Jan 22 16:33:50 EST 2004 

Ryan,
    Are you running Windows 2003?  I've just run into a problem with Win2k3
encrypting the client tickets with rc4-hmac:

# kinit -S host/myhost.acme.com dougl
Password for dougl at ATC-W2K3.ACME.COM:
# klist -e
Ticket cache: /tmp/krb5cc_0
Default principal: host/myhost.acme.com at ATC-W2K3.ACME.COM
Valid starting     Expires            Service principal
01/22/04 09:54:57  01/22/04 19:54:57  host/myhost.acme.com at ATC-W2K3.ACME.COM
         Etype (skey, tkt): DES cbc mode with CRC-32, etype 23

etype 23 is RC4-HMAC

(ethereal trace shows rc4-hmac)

I've seen a number of suggestions to set the "Use DES encryption" flag on the 
users account and reset the password, but that has not resolved the problem.

Checkout your syslog.log file for potential errors.  You don't have to setup
cross-realm authentication for ldap-ux/kerberos to work with AD on hp-ux (you
will if you want to have multi-domain support).  Make sure you can see the user
defined in AD:

# pwget -n dougl
dougl:*:10001:20::/home/dougl:/usr/bin/ksh
# /usr/contrib/bin/nsquery passwd dougl ldap

Using "ldap" for the passwd policy.

Searching ldap for dougl
User name: dougl
User Id: 10001
Group Id: 20
Gecos:
Home Directory: /home/dougl
Shell: /usr/bin/ksh

Switch configuration: Terminates Search

Then make sure you can use kinit to authenticate:

# kinit dougl
Password for dougl at ATC-W2K3.ACME.COM:

You can also validate the Kerberos client configuration using pamkrbval:

# /usr/sbin/pamkrbval

  Validating the pam configuration files
  ---------- --- --- ------------- -----

  Validating the /etc/pam.conf file
[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
            as libpam_updbe library is not configured

  Validating the kerberos config file
  ---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

  Connecting to default Realm
  ---------- -- ------- -----
[PASS] : Default Realm is issuing tickets

  Validating the keytab entry for the host service principal
  ---------- --- ------ ----- --- --- ---- ------- ---------
/usr/sbin/pamkrbval: Program lacks support for encryption type for this entry
[FAIL] : The keytab validation Failed

Cheers,
Doug


Ryan Odgers wrote:

> (I apologize if this has already been posted, I am new to this list)
> 
> Hi,
> 
> What is the trick to getting services to work via kerberos?
> 
> I have been playing around with trying to use kerberos as a SSO for our
> environment, but am a bit confused.
> 
> To date:
> I have installed and configured MS SFU 3.5 (services for Unix) on our AD,
> extended the schema.
> I have an HP-UX 11.11 machine in which I have setup the LDAP client to talk
> to the AD via kerberos. I can successfully search the AD and can login with
> windows credentials via a keytab created for the host.
> 
> The telnet service in HP-UX is kerberos aware, but after creating a service
> instance and keytab file for the telnet service in AD, and importing into
> the unix keytab file, I cannot telnet into unix via kerberos. I have
> followed Microsoft's doc on inter-operability, but cannot get the services
> side of kerberos to work.
> 
> If the KDC is win2000 and the kerberos client is UNIX or MIT, does
> cross-realm authentication still need to be set up?
> It is the same kerberos realm, the unix machine points to the 2000 KDC as
> its server.
> 
> Any help is VERY appreciated
> Ryan
> 
>

More information about the Kerberos mailing list