Problem with Kerberos Service

LukePet luke_pet at yahoo.it
Tue Feb 13 04:14:26 EST 2007


Then....I have deleted the krb5.keytab file

after I have exect this istructions:
lukesky at lukesky:~$ sudo kadmin -p krbadm/admin
kadmin:  ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it

now I have this situation:
lukesky at lukesky:~$ sudo klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   3 02/13/07 09:56:24 host/lukesky.epiluke.it at EPILUKE.IT (Triple DES cbc
mode with HMAC/sha1) 
   3 02/13/07 09:56:24 host/lukesky.epiluke.it at EPILUKE.IT (DES cbc mode with
CRC-32) 

but It is still wrong.....
lukesky at lukesky:~$ kinit -kt host/lukesky.epiluke.it at EPILUKE.IT
kinit(v5): Client not found in Kerberos database while getting initial
credentials

or

lukesky at lukesky:~$ kinit -k host/lukesky.epiluke.it at EPILUKE.IT
kinit(v5): Permission denied while getting initial credentials

or

lukesky at lukesky:~$ kinit host/lukesky.epiluke.it at EPILUKE.IT
Password for host/lukesky.epiluke.it at EPILUKE.IT: 
kinit(v5): Password incorrect while getting initial credentials

.....I don't understand is really strange.

What can I do?

The log file say this:

KADMIN.LOG
Feb 13 08:59:25 lukesky.epiluke.it kadmind[4088](info): starting
Feb 13 09:55:07 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_init, krbadm/admin at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185, flavor=6
Feb 13 09:55:18 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_get_principals, *, success, client=krbadm/admin at EPILUKE.IT,
service=kadmin/kdc.epiluke.it at EPILUKE.IT, addr=192.168.182.185
Feb 13 09:56:24 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_randkey_principal, host/lukesky.epiluke.it at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185
Feb 13 09:56:24 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_get_principal, host/lukesky.epiluke.it at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185
Feb 13 10:03:53 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_init, krbadm/admin at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185, flavor=6

KRB5KDC.LOG
NEEDED_PREAUTH: host/lukesky.epiluke.it at EPILUKE.IT for
krbtgt/EPILUKE.IT at EPILUKE.IT, Additional pre-authentication required
Feb 13 10:11:55 lukesky.epiluke.it krb5kdc[4106](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Feb 13 10:11:55 lukesky.epiluke.it krb5kdc[4106](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.182.185: PREAUTH_FAILED:
host/lukesky.epiluke.it at EPILUKE.IT for krbtgt/EPILUKE.IT at EPILUKE.IT, Decrypt
integrity check failed
Feb 13 10:12:02 lukesky.epiluke.it krb5kdc[4106](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.182.185: CLIENT_NOT_FOUND:
host/kdc.epiluke.it at EPILUKE.IT for krbtgt/EPILUKE.IT at EPILUKE.IT, Client not
found in Kerberos database

KRB5LIB.LOG
Feb 13 08:59:21 lukesky.epiluke.it krb524d[4107](info): No dictionary file
specified, continuing without one.
krb524d: service entry `krb524' not found, using 4444


Other notes:

Now I have re-edit the hosts file using only lukesky.epiluke.it names....and
the situation is:

lukesky at lukesky:~$ kinit -kt host/lukesky.epiluke.it
kinit(v5): No such file or directory while getting initial credentials
lukesky at lukesky:~$ kinit -k host/lukesky.epiluke.it
kinit(v5): Permission denied while getting initial credentials
lukesky at lukesky:~$ kinit host/lukesky.epiluke.it
Password for host/lukesky.epiluke.it at EPILUKE.IT: 
kinit(v5): Password incorrect while getting initial credentials
lukesky at lukesky:~$ kinit pippo
Password for pippo at EPILUKE.IT: 
lukesky at lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
Trying 192.168.182.185...
Connected to lukesky.epiluke.it (192.168.182.185).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``pippo at EPILUKE.IT'' ]
Password for pippo: 
Login incorrect

It seems that somethig is change...what mean [ Kerberos V5 accepts you as
``pippo at EPILUKE.IT'' ]????

why does it ask "Password for pippo: "??? what have I to insert?



Christopher D. Clausen wrote:
> 
> LukePet <luke_pet at yahoo.it> wrote:
>> So,
>>> What does klist -kte (as root) show?
>>
>> lukesky at lukesky:~$ sudo klist -kte
>>   2 02/08/07 14:13:52 host/lukesky.epiluke.it at EPILUKE.IT (Triple DES
>> cbc mode with HMAC/sha1)
>>   2 02/08/07 14:13:52 host/lukesky.epiluke.it at EPILUKE.IT (DES cbc
>> mode with CRC-32)
>>
>>> Can you kinit -kt host/lukesky.epiluke.it at EPILUKE.IT on this machine?
>>
>> lukesky at lukesky:~$ kinit -kt host/lukesky.epiluke.it at EPILUKE.IT
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
> 
> Hmm... that looks bad.  rm /etc/krb5.keytab and re-extract the 
> host/lukesky.epiluke.it keytab into /etc/krb5.keytab from kadmin.
> 
>> and If I exec kinit and telnet I have:
>>
>> lukesky at lukesky:~$ kinit pippo
>> Password for pippo at EPILUKE.IT:
>> lukesky at lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
>> Trying 192.168.182.121...
>> Connected to admin.epiluke.it (192.168.182.121).
>> Escape character is '^]'.
>> Password for pippo:
>> Login incorrect
>>
>> why? what mean?
> 
> It means its not using Kerberos, likely b/c of the problem with the host 
> keytab.  If you get a password prompt Kerberos ticket forwarding has 
> failed and I'd suggest simply Ctrl-C-ing out of telnet.
> 
> <<CDC 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/Problem-with-Kerberos-Service-tf3189386.html#a8940805
Sent from the Kerberos - General mailing list archive at Nabble.com.




More information about the Kerberos mailing list