Ticket expired with Solaris 8 clients

Kiran Kumar M mkiran at india.hp.com
Tue May 25 02:44:23 EDT 2004 

Check the times on both the KDC and the solaris client they should be within 5
mins of each other.

rmanin at ime.unicamp.br wrote:

> Hi, all!
>
> I'm setting a Kerberos environment, with a Fedora Core/i386 KDC, and some
> Fedora and Solaris 8 clients.
>
> The Fedora clients authenticates fine via Kerberos (but I see no "TGS_REQ"
> messages at the server's log file - only "AS_REQ" ones.  Btw, is it
> right?).
>
> My problem is with my Solaris 8 hosts.
>
> Running 'kinit' at Solaris (with standard Solaris 8 kerberos clients), it
> works fine, and I get a ticket:
>
> -----
> guest at navarone:[~]$ kinit rmanin
> Password for rmanin at IME.UNICAMP.BR:
> guest at navarone:[~]$ klist
> Ticket cache: /tmp/krb5cc_1001
> Default principal: rmanin at IME.UNICAMP.BR
>
> Valid starting                              Expires  Service principal
> Mon 24 May 2004 12:01:01 PM EST  Mon 24 May 2004 08:01:01 PM EST
> krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
>         renew until Mon 24 May 2004 12:01:01 PM EST
> guest at navarone:[~]$
> ------
>
> But, when I try to log in using a kerberos authenticated account, I get a
> "Ticket expired" message when handling the TGS.  The krb5dc log file at my
> server shows:
>
> -----
> May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): AS_REQ (2 etypes
> {3 1}) 143.106.77.92: ISSUE: authtime 1085411207, etypes {rep=3 tkt=23
> ses=1}, rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
> May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): AS_REQ (2 etypes
> {3 1}) 143.106.77.92: ISSUE: authtime 1085411207, etypes {rep=3 tkt=23
> ses=1}, rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR
> May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): TGS_REQ (2 etypes
> {3 1}) 143.106.77.92: TKT_EXPIRED: authtime 1085410771,
> rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR, Ticket
> expired
> May 24 12:06:47 lvs.ime.unicamp.br krb5kdc[17615](info): TGS_REQ (2 etypes
> {3 1}) 143.106.77.92: TKT_EXPIRED: authtime 1085410771,
> rmanin at IME.UNICAMP.BR for krbtgt/IME.UNICAMP.BR at IME.UNICAMP.BR, Ticket
> expired
> -----
>
> I really can't figure out what is happing.  Any suggestions????
>
> The pam.conf at the Solaris client looks like:
>
> -----
> # Authentication management
> #
> other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
> other   auth required   /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass
> #
> # Account management
> #
> # pam_krb5 has a no-op account module, so we don't bother listing it here
> #
> other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> other   account required        /usr/lib/security/$ISA/pam_projects.so.1
> other   account required        /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Session management
> #
> # pam_krb5 destroys any credential cache on session close, so it's good
> # to have it here.  However, we also need pam_unix to be called, so don't
> # make pam_krb5 "sufficient".
> #
> other   session optional        /usr/lib/security/$ISA/pam_krb5.so.1
> other   session required        /usr/lib/security/$ISA/pam_unix.so.1
> #
> # Password management
> #
> other   password sufficient     /usr/lib/security/$ISA/pam_unix.so.1
> other   password required       /usr/lib/security/$ISA/pam_krb5.so.1
> use_first_pass
> -----
>
> The client's krb5.conf is
>
> -----
> guest at navarone:[~]$ cat /etc/krb5/krb5.conf
> [libdefaults]
>         ticket_lifetime = 8h 0m 0s
>         default_realm = IME.UNICAMP.BR
>
> [realms]
>         IME.UNICAMP.BR = {
>                 kdc = kerberos.ime.unicamp.br
>                 admin_server = kerberos.ime.unicamp.br
>         }
>
> [logging]
>         default = FILE:/var/krb5/kdc.log
>         kdc = FILE:/var/krb5/kdc.log
>         kdc_rotate = {
>                 period = 1d
>                 versions = 10
>         }
>
> [appdefaults]
>         kinit = {
>                 renewable = true
>                 forwardable= true
>         }
> -----
>
> And the server's kdc.conf is:
>
> -----
> [kdcdefaults]
>  acl_file = /var/kerberos/krb5kdc/kadm5.acl
>  dict_file = /usr/share/dict/words
>  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>  v4_mode = nopreauth
>
> [realms]
>  IME.UNICAMP.BR = {
>   default_principal_flags = forwardable renewable
>   max_life = 8h 0m 0s
>   master_key_type = des-cbc-crc
>   supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm
> arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal
> des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
>  }
> -----
>
> Tnks!!!
>
> []s!
> Rodolfo
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list