Problem with Kerberos Service
LukePet
luke_pet at yahoo.it
Tue Feb 13 04:14:26 EST 2007
Then....I have deleted the krb5.keytab file
after I have exect this istructions:
lukesky at lukesky:~$ sudo kadmin -p krbadm/admin
kadmin: ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it
now I have this situation:
lukesky at lukesky:~$ sudo klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 02/13/07 09:56:24 host/lukesky.epiluke.it at EPILUKE.IT (Triple DES cbc
mode with HMAC/sha1)
3 02/13/07 09:56:24 host/lukesky.epiluke.it at EPILUKE.IT (DES cbc mode with
CRC-32)
but It is still wrong.....
lukesky at lukesky:~$ kinit -kt host/lukesky.epiluke.it at EPILUKE.IT
kinit(v5): Client not found in Kerberos database while getting initial
credentials
or
lukesky at lukesky:~$ kinit -k host/lukesky.epiluke.it at EPILUKE.IT
kinit(v5): Permission denied while getting initial credentials
or
lukesky at lukesky:~$ kinit host/lukesky.epiluke.it at EPILUKE.IT
Password for host/lukesky.epiluke.it at EPILUKE.IT:
kinit(v5): Password incorrect while getting initial credentials
.....I don't understand is really strange.
What can I do?
The log file say this:
KADMIN.LOG
Feb 13 08:59:25 lukesky.epiluke.it kadmind[4088](info): starting
Feb 13 09:55:07 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_init, krbadm/admin at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185, flavor=6
Feb 13 09:55:18 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_get_principals, *, success, client=krbadm/admin at EPILUKE.IT,
service=kadmin/kdc.epiluke.it at EPILUKE.IT, addr=192.168.182.185
Feb 13 09:56:24 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_randkey_principal, host/lukesky.epiluke.it at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185
Feb 13 09:56:24 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_get_principal, host/lukesky.epiluke.it at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185
Feb 13 10:03:53 lukesky.epiluke.it kadmind[4088](Notice): Request:
kadm5_init, krbadm/admin at EPILUKE.IT, success,
client=krbadm/admin at EPILUKE.IT, service=kadmin/kdc.epiluke.it at EPILUKE.IT,
addr=192.168.182.185, flavor=6
KRB5KDC.LOG
NEEDED_PREAUTH: host/lukesky.epiluke.it at EPILUKE.IT for
krbtgt/EPILUKE.IT at EPILUKE.IT, Additional pre-authentication required
Feb 13 10:11:55 lukesky.epiluke.it krb5kdc[4106](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Feb 13 10:11:55 lukesky.epiluke.it krb5kdc[4106](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.182.185: PREAUTH_FAILED:
host/lukesky.epiluke.it at EPILUKE.IT for krbtgt/EPILUKE.IT at EPILUKE.IT, Decrypt
integrity check failed
Feb 13 10:12:02 lukesky.epiluke.it krb5kdc[4106](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 192.168.182.185: CLIENT_NOT_FOUND:
host/kdc.epiluke.it at EPILUKE.IT for krbtgt/EPILUKE.IT at EPILUKE.IT, Client not
found in Kerberos database
KRB5LIB.LOG
Feb 13 08:59:21 lukesky.epiluke.it krb524d[4107](info): No dictionary file
specified, continuing without one.
krb524d: service entry `krb524' not found, using 4444
Other notes:
Now I have re-edit the hosts file using only lukesky.epiluke.it names....and
the situation is:
lukesky at lukesky:~$ kinit -kt host/lukesky.epiluke.it
kinit(v5): No such file or directory while getting initial credentials
lukesky at lukesky:~$ kinit -k host/lukesky.epiluke.it
kinit(v5): Permission denied while getting initial credentials
lukesky at lukesky:~$ kinit host/lukesky.epiluke.it
Password for host/lukesky.epiluke.it at EPILUKE.IT:
kinit(v5): Password incorrect while getting initial credentials
lukesky at lukesky:~$ kinit pippo
Password for pippo at EPILUKE.IT:
lukesky at lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
Trying 192.168.182.185...
Connected to lukesky.epiluke.it (192.168.182.185).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``pippo at EPILUKE.IT'' ]
Password for pippo:
Login incorrect
It seems that somethig is change...what mean [ Kerberos V5 accepts you as
``pippo at EPILUKE.IT'' ]????
why does it ask "Password for pippo: "??? what have I to insert?
Christopher D. Clausen wrote:
>
> LukePet <luke_pet at yahoo.it> wrote:
>> So,
>>> What does klist -kte (as root) show?
>>
>> lukesky at lukesky:~$ sudo klist -kte
>> 2 02/08/07 14:13:52 host/lukesky.epiluke.it at EPILUKE.IT (Triple DES
>> cbc mode with HMAC/sha1)
>> 2 02/08/07 14:13:52 host/lukesky.epiluke.it at EPILUKE.IT (DES cbc
>> mode with CRC-32)
>>
>>> Can you kinit -kt host/lukesky.epiluke.it at EPILUKE.IT on this machine?
>>
>> lukesky at lukesky:~$ kinit -kt host/lukesky.epiluke.it at EPILUKE.IT
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
>
> Hmm... that looks bad. rm /etc/krb5.keytab and re-extract the
> host/lukesky.epiluke.it keytab into /etc/krb5.keytab from kadmin.
>
>> and If I exec kinit and telnet I have:
>>
>> lukesky at lukesky:~$ kinit pippo
>> Password for pippo at EPILUKE.IT:
>> lukesky at lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
>> Trying 192.168.182.121...
>> Connected to admin.epiluke.it (192.168.182.121).
>> Escape character is '^]'.
>> Password for pippo:
>> Login incorrect
>>
>> why? what mean?
>
> It means its not using Kerberos, likely b/c of the problem with the host
> keytab. If you get a password prompt Kerberos ticket forwarding has
> failed and I'd suggest simply Ctrl-C-ing out of telnet.
>
> <<CDC
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
View this message in context: http://www.nabble.com/Problem-with-Kerberos-Service-tf3189386.html#a8940805
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list