Ticket expired with Solaris 8 clients
rmanin@ime.unicamp.br
rmanin at ime.unicamp.br
Mon May 24 11:18:13 EDT 2004
Hi, all!
I'm setting a Kerberos environment, with a Fedora Core/i386 KDC, and some
Fedora and Solaris 8 clients.
The Fedora clients authenticates fine via Kerberos (but I see no "TGS_REQ"
messages at the server's log file - only "AS_REQ" ones. Btw, is it
right?).
My problem is with my Solaris 8 hosts.
Running 'kinit' at Solaris (with standard Solaris 8 kerberos clients), it
works fine, and I get a ticket:
-----
guest at navarone:[~]$ kinit rmanin
Password for rmanin at IME.UNICAMP.BR:
guest at navarone:[~]$ klist
Ticket cache: /tmp/krb5cc_1001
Default principal: rmanin at IME.UNICAMP.BR
Valid starting Expires Service principal
Mon 24 May 2004 12:01:01 PM EST Mon 24 May 2004 08:01:01 PM EST
krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
renew until Mon 24 May 2004 12:01:01 PM EST
guest at navarone:[~]$
------
But, when I try to log in using a kerberos authenticated account, I get a
"Ticket expired" message when handling the TGS. The krb5dc log file at my
server shows:
-----
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): AS_REQ (2 etypes
{3 1}) 143.106.77.92: ISSUE: authtime 1085411207, etypes {rep=3 tkt=23
ses=1}, rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): AS_REQ (2 etypes
{3 1}) 143.106.77.92: ISSUE: authtime 1085411207, etypes {rep=3 tkt=23
ses=1}, rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): TGS_REQ (2 etypes
{3 1}) 143.106.77.92: TKT_EXPIRED: authtime 1085410771,
rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR, Ticket
expired
May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): TGS_REQ (2 etypes
{3 1}) 143.106.77.92: TKT_EXPIRED: authtime 1085410771,
rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR, Ticket
expired
-----
I really can't figure out what is happing. Any suggestions????
The pam.conf at the Solaris client looks like:
-----
# Authentication management
#
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it here
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account required /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here. However, we also need pam_unix to be called, so don't
# make pam_krb5 "sufficient".
#
other session optional /usr/lib/security/$ISA/pam_krb5.so.1
other session required /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
other password required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
-----
The client's krb5.conf is
-----
guest at navarone:[~]$ cat /etc/krb5/krb5.conf
[libdefaults]
ticket_lifetime = 8h 0m 0s
default_realm = IME.UNICAMP.BR
[realms]
IME.UNICAMP.BR = {
kdc = kerberos.ime.unicamp.br
admin_server = kerberos.ime.unicamp.br
}
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
-----
And the server's kdc.conf is:
-----
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
IME.UNICAMP.BR = {
default_principal_flags = forwardable renewable
max_life = 8h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm
arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
-----
Tnks!!!
[]s!
Rodolfo
More information about the Kerberos
mailing list