Can use kerberized telnet, but cannot use pam_krb5
Douglas E. Engert
deengert at anl.gov
Wed Feb 1 11:21:00 EST 2006
Ralf Hildebrandt wrote:
> I'm at my wits' end.
>
> I'm trying to use a Win2k ADS/Kerberos Infrastructure with Debian
> GNU/Linux clients.
>
Did you add the host account to AD?
Did you run the MS ktpass to set the service principal in the account,
set the password on the acocunt, and generate a kettab file?
Did you copy the keytab file back to the Unix system?
See
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
> What I can do on the host:
>
> ----------- snip ----------
> # kinit -V hildeb
> Password for hildeb at CHARITE.DE:
> Authenticated to Kerberos v5
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hildeb at CHARITE.DE
>
> Valid starting Expires Service principal
> 02/01/06 12:58:23 02/01/06 22:58:25 krbtgt/CHARITE.DE at CHARITE.DE
> renew until 02/02/06 12:58:23
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> ----------- snip ----------
>
> I can also use the kerberized telnetd (/usr/bin/telnet.krb5 from the
> krb5-clients package) and log into that host successfully (with the
> username & password that the win2k provides).
This should have had the same error, but there are options to turn off
the verify in this case, but turnning it off does open a security hole.
>
> What I can't do: I'm trying to use
> libpam-krb5 1.2.0-1PAM module for MIT Kerberos
>
> as PAM modules for OpenVPN:
>
>
> ----------- snip ----------
> # PAM configuration for OpenVPN
> auth sufficient pam_krb5.so debug ignore_root
> account required pam_krb5.so debug ignore_root
> ----------- snip ----------
>
> any login attempt from openvpn results in:
>
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_authenticate: entry
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: openvpn-krb5
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
This implies it can not find the keytab file entry for the host.
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): hildeb: pam_sm_authenticate: exit (success)
> Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_acct_mgmt: entry
>
> and openvpn crashes afterwards...
That is some other problem...
>
> Questions:
> ==========
>
> What does "verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found" mean?
> I probably need to get rid of that error in order to get things flying.
>
See above.
> My /etc/krb5.conf is attached.
>
>
>
> ------------------------------------------------------------------------
>
> [libdefaults]
> default_realm = CHARITE.DE
> # das ist wirklich der Domainenname. Witzigerweise scheinen andere Institutionen immer
> # DNS-Domaine == Win2k-Domaine zu machen. Bei uns ist das anders :(
> # GROSSSCHREIBUNG ist wichtig!!
>
> clockskew = 300
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> # dns_lookup_kdc = true
>
> [realms]
> CHARITE.DE = {
> # kdc = DC-CHARITE-1.CHARITE.DE
> # kdc = dc-charite-2.charite.de
> # kdc = dc-charite-3.charite.de
> kdc = dc-charite-4.charite.de
> default_domain = CHARITE.DE
> kpasswd_server = DC-CHARITE-1.CHARITE.DE
> }
>
> [domain_realm]
> .charite.de = CHARITE.DE
>
> [logging]
> default = FILE:/var/log/krb5lib.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> debug = true
> }
>
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list