Kerberizing a unix based application

Ziangi Jones ziangij at gmail.com
Fri Mar 24 10:51:53 EST 2006 

Hi Richard,

Initially, i thought that i had successfully configured kerberos
successfully, but i was wrong :(
I got the tgt when i entered 2003 username & password on linux machine.

then i tried to do a telnet to linux machine. i entered a linux username &
password & got the error: "Client not found in *Kerberos database* while
getting initial *credentials..*"

here's my /etc/krb5.conf file:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = KERDOM.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 KERDOM.COM = {
  kdc = KERDOMGDC01.KERDOM.COM
  default_domain = KERDOM.COM
  admin_server = KERDOMGDC01.KERDOM.COM
 }

[domain_realm]
 .kerdom.com = KERDOM.COM
 kerdom.com = KERDOM.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
 debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false }
---------

/var/kerberos/krb5kdc/kdc.conf file:


[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 database_name = /var/kerberos/krb5kdc/principal
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 key_stash_file = /var/kerberos/krb5kdc/.k5.KERDOM.COM
 v4_mode = nopreauth

[realms]
 KERDOM.COM = {
  master_key_type = des-cbc-crc
  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm
arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }

i also tried /usr/keberos/sbin/kdb5_util create -s .

It gave me an error: "/var/kerberos/krb5kdc/principal appears to already
exist."

Please let me know what i am missing.

(KERDOMGDC01 - 2003 Domain controller KERDOM.COM - Domain name or realm)

Thank you.

On 23 Mar 2006 14:04:49 -0500, Richard E. Silverman <res at qoxp.net> wrote:
>
> >>>>> "ZJ" == "Ziangi Jones" <ziangij at gmail.com> writes:
>
>    ZJ> Hi, I have joined a linux machine (Red Hat Linux Enterprise
>    ZJ> Server) to Windows 2003 Server Domain Controller. I have also
>    ZJ> configured Kerberos and TGT is received properly (verified using
>    ZJ> KLIST) & even telnet is working properly.
>
>    ZJ> Please answer my 3 questions: 1. Assume i have setup Kerberos
>    ZJ> successfully; if I log-in from my Windows desktop and try to do
>    ZJ> telnet to linux machine, then does it mean that i need NOT enter
>    ZJ> login name & password; I will get the successful telnet prompt.
>
> If you have a kerberized telnet client that uses the Windows Kerberos API
> (SSPI).
>
>    ZJ> 2. Here, do i need to ensure that login user name has to be SAME
>    ZJ> in both Linux & 2003 Server AD? Do i need to maintain some kind of
>    ZJ> mapping?
>
> If they are not the same, just use telnet -l username & authorize the
> Windows principal in the target RHLE account with ~/.k5login.
>
> --
> Richard Silverman
> res at qoxp.net
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list