Authentication using the KRB5A method issues (AIX-AD)

Christopher D. Clausen cclausen at acm.org
Wed Feb 14 04:06:35 EST 2007 

Mohamad Nurhafiza <nurhafiza.mohamad at volvo.com> wrote:
> I did the single sign on working, but now Im trying to do aix
> authenticate using kerberos to a 2003 AD without ticket verification
> (non single sign on)
>
> Now..the password changes in AD is immediately noticed by cleint(AIX).
>
> But I still have problem with ssh telnet and ftp.
>
> and i have my tgt_verify flag=false in order not to use keytab file...
>
> I can use the same user's password on the aix machine (even after
> password reset in AD)
> bash-3.00# /usr/krb5/bin/kinit test5
> Password for test5 at DALABB.VOLVO.NET
> <mailto:testvx32 at DALABB.VOLVO.NET> : bash-3.00#

Is that kinit part of the AIX krb.client.rte fileset?  Or are you using 
MIT Kerberos that you compiled from source?

> but not ssh, telnet or ftp...
>
> ssh result:
> ----------
> bash-3.00# ssh test4 at vx32
> test4 at vx32's password:
> Permission denied, please try again.
> test4 at vx32's password:

Thats pretty useless.  Run sshd as sshd -D -ddd -p 222 and then run 
ssh -vvv -p 222 and send the output of both so that you can actually 
check for errors.

> telnet result:
> ------------
> [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
> failed: Unsupported key table format version number ]
> [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
> failed: Unsupported key table format version number ]

That is omewhat more useful.  As it states above, there is something in 
the keytab file that telnet doesn't like.

Run klist -k /var/krb5/security/keytab/`hostname`.keytab as root.  If 
that doesn't work, look in /var/krb5/security/keytab/ for an old keytab 
file and possibly delete or rename it.  AIX looks there for a keytab 
file by default, instead of the usual /etc/krb5.keytab or 
/etc/krb5/krb5.keytab.

> my krb5.conf (this is thousandth time edited file already)...but this
> one works with the single sign on...
> ====================================
> [libdefaults]
> default_realm = X.Y.NET
> # default_keytab_name = FILE:/etc/krb5/krb5.keytab //someone asked me
> to try to comment it but ti don't make a different
> # default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
> des-cbc-md5 des-cbc-crc
> # default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
> des-cbc-md5 des-cbc-crc
> default_tkt_enctypes = des-cbc-crc des-cbc-md5
> default_tgs_enctypes = des-cbc-crc des-cbc-md5

Its generally a bad idea to hardcode enctypes like the above.  I'd 
recomend commenting out the above two lines.

> KRB5A:
> program = /usr/lib/security/KRB5A
> program_64 = /usr/lib/security/KRB5A_64
> # options = authonly
> options = tgt_verify = no

Hmm... Try options = tgt_verify=no just in case the spaces matter.  In 
theory this should prevent KRB5A from looking at the keytab, but from 
the telnet output, it seems that either telnetd is still rying to do 
Kerberos/GSSAPI authentication or the tgt_verify option isn't working.

And can you get the KDC logs when you try using ssh or telnet?

<<CDC

More information about the Kerberos mailing list