Authentication using the KRB5A method issues (AIX-AD)

Mohamad Nurhafiza nurhafiza.mohamad at volvo.com
Wed Feb 14 02:47:51 EST 2007 


I did the single sign on working, but now Im trying to do aix
authenticate using kerberos to a 2003 AD without ticket verification
(non single sign on)

Now..the password changes in AD is immediately noticed by cleint(AIX).

But I still have problem with ssh telnet and ftp.

and i have my tgt_verify flag=false in order not to use keytab file...

I can use the same user's password on the aix machine (even after
password reset in AD) 
bash-3.00# /usr/krb5/bin/kinit test5
Password for test5 at DALABB.VOLVO.NET <mailto:testvx32 at DALABB.VOLVO.NET> :
bash-3.00#


but not ssh, telnet or ftp...

ssh result:
----------
bash-3.00# ssh test4 at vx32
test4 at vx32's password:
Permission denied, please try again.
test4 at vx32's password:

telnet result:
------------
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Unsupported key table format version number ]
[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
failed: Unsupported key table format version number ]

telnet (vx32)

AIX Version 5
(C) Copyrights by IBM and by others 1982, 2005.
login: test4
test4's Password:
3004-007 You entered an invalid login name or password.
login: 


my krb5.conf (this is thousandth time edited file already)...but this
one works with the single sign on...
====================================
[libdefaults]
default_realm = X.Y.NET
# default_keytab_name = FILE:/etc/krb5/krb5.keytab //someone asked me to
try to comment it but ti don't make a different
# default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
des-cbc-md5 des-cbc-crc
# default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
des-cbc-md5 des-cbc-crc
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
[realms]
X.Y.NET = {
kdc = abc.x.y.net:88
admin_server = abc.x.y.net:749
default_domain = x.y.net
}

[domain_realm]
.x.y.net = X.Y.NET
abc.x.y.net = X.Y.NET
# abc.x.y.net = X.Y.NET

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
=======================================
my methods.cfg (also edited thousandth times too)
=======================================
KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
# options = authonly
options = tgt_verify = no

KRB5Afiles:
options = db=BUILTIN,auth=KRB5A

NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64

DCE:
program = /usr/lib/security/DCE

LDAP:
program = /usr/lib/security/LDAP
program_64 = /usr/lib/security/LDAP64

PAM:
program = /usr/lib/security/PAM

PAMfiles:
options = auth=PAM,db=BUILTIN
======================================

This is how I make user in aix(client):

bash-3.00# mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles
auth_domain=dalabb.volvo.net test5
bash-3.00# su test5
bash-3.00# whoami
test5
bash-3.00# lsauthent
Kerberos 5
Standard Aix
bash-3.00# echo $AUTHSTATE
compat
When I tried ssh -v, below is the output: It's still prompt for the
password again

bash-3.00# ssh -v test5 at vx32
OpenSSH_4.2p1, OpenSSL 0.9.7c 30 Sep 2003
debug1: Reading configuration data
/soe3/opt/openssh-4.2p1/etc/ssh_config
debug1: Connecting to vx32 [131.97.95.41] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'vx32' is known and matches the DSA host key.
debug1: Found key in /.ssh/known_hosts:4
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
test5 at vx32's password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
test5 at vx32's password:

More information about the Kerberos mailing list