Problem with Kerberos Service

LukePet luke_pet at yahoo.it
Mon Feb 19 10:13:48 EST 2007


So this is my situation:

I have configurated the kerberized service FTP and Telnet.

Then I have added two user principals on my db; specificly I have executed
this istructions:

kadmin:  listprincs
K/M at EPILUKE.IT
ftp/lukesky.epiluke.it at EPILUKE.IT
host/lukesky.epiluke.it at EPILUKE.IT
kadmin/admin at EPILUKE.IT
kadmin/changepw at EPILUKE.IT
kadmin/history at EPILUKE.IT
kadmin/lukesky.epiluke.it at EPILUKE.IT
krbadm/admin at EPILUKE.IT
krbtgt/EPILUKE.IT at EPILUKE.IT
kadmin:  addprinc -policy user lukesky
Enter password for principal "lukesky at EPILUKE.IT": 
Re-enter password for principal "lukesky at EPILUKE.IT": 
Principal "lukesky at EPILUKE.IT" created.
kadmin:  addprinc -policy user romaluca
Enter password for principal "romaluca at EPILUKE.IT": 
Re-enter password for principal "romaluca at EPILUKE.IT": 
Principal "romaluca at EPILUKE.IT" created.
kadmin:  quit
lukesky at lukesky:~$ kinit lukesky
Password for lukesky at EPILUKE.IT: 
lukesky at lukesky:~$ ftp lukesky.epiluke.it
Connected to lukesky.epiluke.it.
220 lukesky.epiluke.it FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
Name (lukesky.epiluke.it:lukesky): lukesky  (----------------------> is
right write 'lukesky' like Name?)
232 GSSAPI user lukesky at EPILUKE.IT is authorized as lukesky
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 221 Goodbye.

but if I use romaluca like user I have this:

lukesky at lukesky:~$ kinit romaluca
Password for romaluca at EPILUKE.IT: 
lukesky at lukesky:~$ ftp lukesky.epiluke.it
Connected to lukesky.epiluke.it.
220 lukesky.epiluke.it FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
Name (lukesky.epiluke.it:lukesky): romaluca
331 GSSAPI user romaluca at EPILUKE.IT is not authorized as romaluca; Password
required.
Password: (------------> why does it ask me a password?)

With lukesky it seems work correctly but with romaluca it work differently.

Can you explain this behavior??? I don't understand.




Jeffrey Altman-2 wrote:
> 
> Christopher D. Clausen wrote:
>> LukePet <luke_pet at yahoo.it> wrote:
>>> Ok and about telnet...waht can you tell me?
>>>
>>> "lukesky at lukesky:~$ kinit pippo
>>> Password for pippo at EPILUKE.IT:
>>> lukesky at lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
>>> Trying 192.168.182.185...
>>> Connected to lukesky.epiluke.it (192.168.182.185).
>>> Escape character is '^]'.
>>> [ Kerberos V5 accepts you as ``pippo at EPILUKE.IT'' ]
>>> Password for pippo:
>>> Login incorrect
>>>
>>> It seems that somethig is change...what mean [ Kerberos V5 accepts
>>> you as ``pippo at EPILUKE.IT'' ]????
>>>
>>> why does it ask "Password for pippo: "??? what have I to insert? "
>>
>> I don't know why it asks for a password.  The "Kerberos accepts you as" 
>> message should indicate that telnetd has received forwarded Kerberos 
>> credentials from your telnet client.
>>
> The Kerberos v5 accepts you message only indicates that Kerberos
> authentication
> has succeeded.  It does not indicate whether or not there actually
> exists a local
> account 'pippo' on the machine, or whether the Kerberos principal
> 'pippo at EPILUKE.IT'
> maps to that account.
> 
> Nor does the accepts message indicate anything about forwarded
> credentials.  If
> credentials were forwarded you would see a "remote machine has accepted
> forwarded
> credentials" message.
> 
> The above telnet session is not using mutual authentication.   That
> would be indicated
> by a "remove machine has been mutually authenticated" message and if
> there was
> encryption you would be seeing "output is now encrypted" and "input is
> now decrypted"
> messages.
> 
> Jeffrey Altman
> 
> 
>  
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/Problem-with-Kerberos-Service-tf3189386.html#a9043785
Sent from the Kerberos - General mailing list archive at Nabble.com.




More information about the Kerberos mailing list