Problem with Kerberos Service
Edward Murrell
edward at dlconsulting.com
Wed Feb 7 15:35:04 EST 2007
Firstly... Please don't use telnet. It's just bad. Use the ssh-krb5
package instead.
Moving on...
You seem to have done everything correctly so far. I don't know if
you've installed the
libpam-krb5 package. If not, that may the problem. You should add the
following lines
to the following files;
/etc/pam.d/common-auth
auth sufficient pam_krb5.so ignore_root
/etc/pam.d/common-account
account required pam_krb5.so ignore_root
/etc/pam.d/common-password
password optional pam_krb5.so ignore_root
/etc/pam.d/common-session
session optional pam_krb5.so ignore_root
man pam_krb5 will have more information on how to configure these
options. You may need
to add the following lines to /etc/ssh/sshd_config and restart the
ssh-krb5 servive after installing
the ssh-krb5 package.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPINoMICAuthentication yes
GSSAPICleanupCredentials yes
Hope this helps you some!
Regards,
Edward Murrell
Luca Petrini wrote:
> Hello, I'm italian user and my name is Luca.
>
> I'm working with Kerberos on my Ubuntu 6.10.
>
> I have installed the krb5 packages and configurated the kdc.conf and krb5.conf files. The files are configurate to test the authentication on my local machine.
>
> Now I am trying to active some kerberized service like telnet but I have some problem.
>
> So I've exec thi steps:
>
> 1) Configure the /etc/hosts file:
> 127.0.1.1 laptop
> 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
> 127.0.0.1 localhost localhost.localdomain
>
> and I have configured the /etc/hostname file with this name "lukesky.epiluke.it"
>
> 2) Configure krb5.conf file:
>
> [libdefaults]
> default_realm = EPILUKE.IT
> .
> .
> [realms]
> EPILUKE.IT = {
> kdc = kdc.epiluke.it:88
> admin_server = admin.epiluke.it:749
> }
> .
> .
> [domain_realm]
> .epiluke.it = EPILUKE.IT
> epiluke.it = EPILUKE.IT
> .
> .
>
> 3) Configure kdc.conf file:
>
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> EPILUKE.IT = {
> database_name = /var/lib/krb5kdc/principal
> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/stash
>
> kadmin_port = 749
>
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm desnlyrealm des:afs3
> default_principal_flags = +preauth
> }
>
> 4) Then I have created a db:
> $/usr/sbin/kdb5_util create -r EPILUKE.IT -s
>
> 5) I have created on /etc/krb5kdc directory a new ACL file (kadm5.acl) with this rules:
>
> */admin at EPILUKE.IT *
> */*@EPILUKE.IT i
>
> 6) I have execute kadmin.local:
> >addpol -maxlife "180 days" -minlength 8 -minclasses 3 -history 3 user
> >addpol -maxlife "90 days" -minlength 10 -minclasses 3 -history 6 admin
> >addprinc -policy admin +requires_preauth krbadm/admin
> >addprinc -policy user pippo
> >ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
>
> 7) I have started the server
>
> $/etc/init.d/krb5-kdc restart
> $/etc/init.d/krb5-admin-server restart
>
> Then I have tested the servers:
>
> $kadmin -p krbadm/admin -> OK
> $kinit pippo -> OK
>
> Now I would configure kerberized telnet service but it doesn't work; there is something wrong.
>
> 9) From kadmin I have defined:
>
> >addprinc host/lukesky.epiluke.it at EPILUKE.iT
> >ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it at EPILUKE.IT (??? I'm not sure that it's correct)
>
> 10) I create a new file in /etc/xinet.d/ directory named telnet:
>
> service telnet
> {
> socket_type = stream
> wait = no
> nice = 10
> user = root
> server = /usr/sbin/telnetd
> server_args = -h
> }
>
> 11) I have restarted services
>
> $ /etc/init.d/xinetd restart
>
> Well, at this point I have exec by shell this command:
>
> $telnet -l pippo lukesky.epiluke.it
>
> but the results are:
> Trying 192.168.182.254...
> Connected to admin.epiluke.it (192.168.182.254).
> Escape character is '^]'.
> Password for pippo:
> Login incorrect
>
> if I insert the password the system don't identify the credentials (that instead work on kinit command) and I can't entry on telnet service.
>
> Why?
>
> What can I do?
>
> Can you help me? I'm crazying!
>
> Thanks.
>
> ---------------------------------
> Vinci i biglietti per FIFA World Cup in Germania!
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list