service principals in AD fro unix kerberos clients
Ryan Odgers
odgersr at out.co.za
Fri Jan 23 07:14:29 EST 2004
Hi Doug,
still on win2000
I can authenticate and get tgt ticket with kinit
I can get service ticket with kinit -S
pamkrbval returns all PASSED
nsquery search against ldap returns values in AD
(I still seem to need a dummy entry in /etc/passwd for kerberos to create
credential cache)??
Well, don't know what else to do
Thanks
"Doug Lamoureux" <douglamoureux at yahoo.com> wrote in message
news:2lXPb.12843$Js5.9860 at news.cpqcorp.net...
> Ryan,
> Are you running Windows 2003? I've just run into a problem with
Win2k3
> encrypting the client tickets with rc4-hmac:
>
> # kinit -S host/myhost.acme.com dougl
> Password for dougl at ATC-W2K3.ACME.COM:
> # klist -e
> Ticket cache: /tmp/krb5cc_0
> Default principal: host/myhost.acme.com at ATC-W2K3.ACME.COM
> Valid starting Expires Service principal
> 01/22/04 09:54:57 01/22/04 19:54:57
host/myhost.acme.com at ATC-W2K3.ACME.COM
> Etype (skey, tkt): DES cbc mode with CRC-32, etype 23
>
> etype 23 is RC4-HMAC
>
> (ethereal trace shows rc4-hmac)
>
> I've seen a number of suggestions to set the "Use DES encryption" flag on
the
> users account and reset the password, but that has not resolved the
problem.
>
> Checkout your syslog.log file for potential errors. You don't have to
setup
> cross-realm authentication for ldap-ux/kerberos to work with AD on hp-ux
(you
> will if you want to have multi-domain support). Make sure you can see the
user
> defined in AD:
>
> # pwget -n dougl
> dougl:*:10001:20::/home/dougl:/usr/bin/ksh
> # /usr/contrib/bin/nsquery passwd dougl ldap
>
> Using "ldap" for the passwd policy.
>
> Searching ldap for dougl
> User name: dougl
> User Id: 10001
> Group Id: 20
> Gecos:
> Home Directory: /home/dougl
> Shell: /usr/bin/ksh
>
> Switch configuration: Terminates Search
>
> Then make sure you can use kinit to authenticate:
>
> # kinit dougl
> Password for dougl at ATC-W2K3.ACME.COM:
>
> You can also validate the Kerberos client configuration using pamkrbval:
>
> # /usr/sbin/pamkrbval
>
> Validating the pam configuration files
> ---------- --- --- ------------- -----
>
> Validating the /etc/pam.conf file
> [PASS] : The validation of config file: /etc/pam.conf passed
>
> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
> as libpam_updbe library is not configured
>
> Validating the kerberos config file
> ---------- --- -------- ------ -----
> [PASS] : Initialization of kerberos passed
>
> Connecting to default Realm
> ---------- -- ------- -----
> [PASS] : Default Realm is issuing tickets
>
> Validating the keytab entry for the host service principal
> ---------- --- ------ ----- --- --- ---- ------- ---------
> /usr/sbin/pamkrbval: Program lacks support for encryption type for this
entry
> [FAIL] : The keytab validation Failed
>
> Cheers,
> Doug
>
>
> Ryan Odgers wrote:
>
> > (I apologize if this has already been posted, I am new to this list)
> >
> > Hi,
> >
> > What is the trick to getting services to work via kerberos?
> >
> > I have been playing around with trying to use kerberos as a SSO for our
> > environment, but am a bit confused.
> >
> > To date:
> > I have installed and configured MS SFU 3.5 (services for Unix) on our
AD,
> > extended the schema.
> > I have an HP-UX 11.11 machine in which I have setup the LDAP client to
talk
> > to the AD via kerberos. I can successfully search the AD and can login
with
> > windows credentials via a keytab created for the host.
> >
> > The telnet service in HP-UX is kerberos aware, but after creating a
service
> > instance and keytab file for the telnet service in AD, and importing
into
> > the unix keytab file, I cannot telnet into unix via kerberos. I have
> > followed Microsoft's doc on inter-operability, but cannot get the
services
> > side of kerberos to work.
> >
> > If the KDC is win2000 and the kerberos client is UNIX or MIT, does
> > cross-realm authentication still need to be set up?
> > It is the same kerberos realm, the unix machine points to the 2000 KDC
as
> > its server.
> >
> > Any help is VERY appreciated
> > Ryan
> >
> >
>
More information about the Kerberos
mailing list