some problems.

wbyte wbyte at sgicrew.org
Sat Mar 27 09:16:32 EST 2004 

Hello,
I got some problems with krb5.
I don't have any experience with it.
May be the problem is somewhere in configuration files,
so I showed them.

#cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = realm.wbyte.org
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-cr

[realms]
  realm.wbyte.org = {
  kdc = wbyte.org
  admin_server = wbyte.org
  default_domain = wbyte.org
 }

  realm.wbyte.org = {
 }

[domain_realm]
 .wbyte.org = realm.wbyte.org
 wbyte.org = realm.wbyte.org

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   telnet = {
        forward = true
        encrypt = true
        autologin = true
    }
 }
#cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
  realm.wbyte.org = {
  profile = /etc/krb5.conf
  database_name = /var/kerberos/krb5kdc/principal
  kadmind_port = 749
  kdc_ports = 88
  max_life = 10h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  master_key_type = des-cbc-crc
  supported_enctypes = des3-cbc-sha1:normal des3-cbc-sha1:norealm 
des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal 
des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 
des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm 
des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm 
des-cbc-md5:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 
des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
 }

[logging]
    kdc = FILE:/usr/local/var/krb5kdc/kdc.log
    admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log




All serverices seems to work fine. I can login using kerberos passwords. 
When i tried to create encryption session:

# ksu wbyte
Changing uid to wbyte (500)
jk[wbyte at wbyte etc]$ kinit
Password for wbyte at realm.wbyte.org:
[wbyte at wbyte etc]$ krb524init
[wbyte at wbyte etc]$ klist
Ticket cache: FILE:/tmp/krb5cc_500.1
Default principal: wbyte at realm.wbyte.org

Valid starting     Expires            Service principal
03/27/04 08:54:05  03/27/04 18:54:05  
krbtgt/realm.wbyte.org at realm.wbyte.org
03/27/04 08:54:09  03/27/04 18:54:05  
krbtgt/realm.wbyte.org at realm.wbyte.org


Kerberos 4 ticket cache: /tmp/tkt500
Principal: wbyte at realm.wbyte.org

  Issued              Expires             Principal
03/27/04 08:54:09  03/27/04 18:49:09  
krbtgt.realm.wbyte.org at realm.wbyte.org
[wbyte at wbyte etc]$ telnet -f -a -x wbyte.org
Trying 192.168.10.32...
Connected to wbyte.org (192.168.10.32).
Escape character is '^]'.
Waiting for encryption to be negotiated...

Authentication negotation has failed, which is required for
encryption.  Good bye.
[wbyte at wbyte etc]$ telnet -f -a -x
telnet> toggle authdebug
auth debugging enabled
telnet> open wbyte.org
Trying 192.168.10.32...
Connected to wbyte.org (192.168.10.32).
Escape character is '^]'.
>>>TELNET: I support auth type 2 6
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: I support auth type 1 2
>>>TELNET: I support auth type 1 0
Waiting for encryption to be negotiated...
>>>TELNET: auth_send got: 02 06 02 02 02 00
>>>TELNET: He supports 2
>>>TELNET: Trying 2 6
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos 
database)
>>>TELNET: He supports 2
>>>TELNET: Trying 2 2
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos 
database)
>>>TELNET: He supports 2
>>>TELNET: Trying 2 0
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos 
database)
>>>TELNET: Sent failure message

Authentication negotation has failed, which is required for
encryption.  Good bye.
[wbyte at wbyte etc]$

Anyway the only services which works fine is kshell.

The other problem is kadmin:
[wbyte at wbyte etc]$ kadmin -p wbyte
Authenticating as principal wbyte with password.
Enter password:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
[wbyte at wbyte etc]$

here's the kadmin error log:
Mar 27 08:55:10 wbyte.org kadmind[3583](Notice): Authentication attempt 
failed: 192.168.10.32, GSS-API error strings are:
Mar 27 08:55:10 wbyte.org kadmind[3583](Notice):     Miscellaneous failure
Mar 27 08:55:10 wbyte.org kadmind[3583](Notice):     Key version number 
for principal in key table is incorrect
Mar 27 08:55:10 wbyte.org kadmind[3583](Notice):    GSS-API error strings 
complete.


 
Thanks, and sorry for bad the english.

More information about the Kerberos mailing list