help with Active Directory Kerberos authentication

Rohit Kumar Mehta rohitm at engr.uconn.edu
Tue Oct 10 17:21:25 EDT 2006 

Russ Allbery wrote:

> You aren't seeing host tickets.  So it looks to me like the problem is
> that you can't obtain host/nfsv4etch.engr.uconn.edu at AD.ENGR.UCONN.EDU
> tickets from AD.
> 
> You should be able to test this directly by running:
> 
>     kinit -S host/nfsv4etch.engr.uconn.edu rohitm at AD.ENGR.UCONN.EDU
> 
> to obtain host credentials rather than the normal krbtgt credentials.  My
> guess is that you'll find that the host crendentials are not in AD for
> some reason.
> 
> This will indeed affect both telnet and ssh.
> 

I tried that command and it seems to work:
nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu rohitm at AD.ENGR.UCONN.EDU
Password for rohitm at AD.ENGR.UCONN.EDU:
nfsv4etch:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rohitm at AD.ENGR.UCONN.EDU

Valid starting     Expires            Service principal
10/10/06 17:19:07  10/11/06 03:19:12 
host/nfsv4etch.engr.uconn.edu at AD.ENGR.UCONN.EDU
         renew until 10/11/06 17:19:07


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

However even with the host credentials, I can't get in:

nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
Trying 192.168.1.137...
Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.
nfsv4etch:~# ssh rohitm at nfsv4etch.engr.uconn.edu
rohitm at nfsv4etch.engr.uconn.edu's password:
Permission denied, please try again.
rohitm at nfsv4etch.engr.uconn.edu's password:
Permission denied, please try again.
rohitm at nfsv4etch.engr.uconn.edu's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

I am pretty sure I put the host creds in the AD and generated the keytab 
for use on the Linux client.  Is there a way to check if my keytab is 
correct?
nfsv4etch:~# strings /etc/krb5.keytab
AD.ENGR.UCONN.EDU
host
nfsv4etch.engr.uconn.edu

Also could it be a problem that I am behind a NAT server.

More information about the Kerberos mailing list