pamkrbval: KDC policy rejects request for this entry

Markus Moeller huaraz at moeller.plus.com
Wed Aug 27 14:30:32 EDT 2008


Can you check that AD and your HP system are time synchronised ?  Can you do 
a kinit unix_client with the correct password ? Do you have the kvno binary 
on the HP platform ? If so can you do a kvno 
host/unix_client.domain.host.com and compare the number with the one in the 
keytab ?

Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?

Regards
Markus


<ricurtis at gmail.com> wrote in message 
news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668 at 56g2000hsm.googlegroups.com...
I have tried everyones suggestions, but no joy - although I think I
can narrow down the problem somewhat...

After changing the default_t*_enctypes to be "RC4-HMAC" (and also
removing the lines altogether), I still get the same error...

In the Windows security log on the domain controller, I have a Failure
Audit with a result code from the request of 0xC which from some
searching at Microsoft suggests:
    Requested start time is later than end time
or Workstation login restrictions..

>From a packet capture using Wireshark, the AS-REQ packet there is an
entry "till: 1970-01-01 00:00:00 (UTC)"
It looks as though the requested lifetime of the packet here is in the
past...

Any suggestions around that?

Regards

Richard



On 26 Aug, 20:32, "Richard Curtis" <ricur... at gmail.com> wrote:
> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>
> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
> with Microsoft Windows 2000 and 2003.
>
> I will try tomorrow when I am back in the office by setting the
> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
> configuration guide I am following has a sample krb5.conf and only
> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
> is no mention of RC4 in the whole document.
> I will try removing default_*_enctypes altogether aswell, and failing
> that, will have a go with DEC encryption only..
>
> If this turns out to be the solution, I will be over the moon... this
> has been dragging on for some time :)
>
> I will post back tomorrow with my results.. thanks for the replies so far 
> guys.
>
> Regards
>
> Richard
>
>
>
> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua... at moeller.plus.com> 
> wrote:
> > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your 
> > configuration
> > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based 
> > on
> > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be 
> > DES
> > only. Secondly did you change the password of the unix_client user ? If 
> > not
> > please try to change the password once and re-extract the keytab.
>
> > Markus
>
> > "Richard Curtis" <ricur... at gmail.com> wrote in message
> >news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
> >> Hi,
> >> I am trying to get an HPUX 11i box to authenticate against our
> >> active directory (Windows 2003r2) domain with kerberos but I am
> >> getting nowhere fast.
>
> >> As per the docs I have, I have created a user account in active
> >> directory, then used "ktpass -princ
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
> >> -pass <pass> -out c:\krb5.keytab"
> >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> >> keep getting "KDC policy rejects request for this entry"
>
> >> I am guessing this is more of a Windows/AD config issue, but thougt
> >> someone here might have seen this?
>
> >> cat /etc/krb5.conf
> >> [libdefaults]
> >> default_realm = DOMAIN.HOST.COM
> >> default_tgs_enctypes = DES-CBC-CRC
> >> default_tkt_enctypes = DES-CBC-CRC
> >> ccache_type = 2
> >> ticket_liftetime = 24000
> >> #dns_lookup_kdc = true
>
> >> [realms]
> >> DOMAIN.HOST.COM = {
> >> kdc = 2003_dc.domain.host.com
> >> kpasswd_server = 2003_dc.domain.host.com:464
> >> }
>
> >> [domain_realm]
> >> domain.host.com = DOMAIN.HOST.COM
> >> .domain.host.com = DOMAIN.HOST.COM
>
> >> [logging]
> >> default = FILE:/var/adm/krb5lib.log
> >> kdc = FILE:/var/adm/krb5kdc.log
> >> admin_server = FILE:/var/adm/kKDCmind.log
>
> >> [appdefaults]
> >> pam = {
> >> debug = false
> >> ticket_lifetime = 36000
> >> renew_lifetime = 36000
> >> forwardable = true
> >> krb4_convert = false
> >> }
>
> >> unix_client:/var/adm/syslog >pamkrbval -v
>
> >> Validating the pam configuration files
> >> ---------- --- --- ------------- -----
>
> >> Validating the /etc/pam.conf file
> >> [LOG] : The /etc/pam.conf files permissions are fine
> >> [LOG] : Opened : /etc/pam.conf
>
> >> [PASS] : The validation of config file: /etc/pam.conf passed
>
> >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not 
> >> done
> >> as libpam_updbe library is not configured
>
> >> Validating the kerberos config file
> >> ---------- --- -------- ------ -----
> >> [PASS] : Initialization of kerberos passed
>
> >> Connecting to default Realm
> >> ---------- -- ------- -----
> >> [LOG] : The default realm is : DOMAIN.HOST.COM
> >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
> >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
> >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
> >> [PASS] : Default Realm is issuing tickets
>
> >> Validating the keytab entry for the host service principal
> >> ---------- --- ------ ----- --- --- ---- ------- ---------
> >> [LOG] : Host unix_client, aka unix_client.domain.host.com.
> >> [LOG] : The default keytab name is : /etc/krb5.keytab
> >> [LOG] : Keytab file /etc/krb5.keytab is present
> >> [LOG] : Permissions on /etc/krb5.keytab are correct.
> >> Keytab entry
> >> Principal: host
> >> Host : unix_client.domain.host.com
> >> Realm : DOMAIN.HOST.COM
> >> Version : 23
> >> [LOG] : Pinging KDC to verify whether
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM exists
> >> pamkrbval: KDC policy rejects request for this entry
> >> [WARNING] : The keytab entry for the host service principal
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM is invalid
> >> [FAIL] : The keytab validation failed
>
> >> Validating the rc_host file for ownership
> >> -------- ------ ---- -------- ------ -----
> >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>
> >> unix_client:/var/adm/syslog >ktutil -i
> >> ktutil: rkt /etc/krb5.keytab
> >> ktutil: list
> >> slot KVNO Principal
> >> ---- ---- ---------------------------------------------------------------------
> >> 1 23 host/unix_client.dom... at DOMAIN.HOST.COM
> >> ktutil:
> >> ktutil: unix_client:/var/adm/syslog >
>
> >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> >> host/unix_client.domain.host.com
> >> kinit(v5): KDC policy rejects request while getting initial credentials
>
> >> Thanks in advance for any help
>
> >> Regards
>
> >> Richard
> >> ________________________________________________
> >> Kerberos mailing list Kerbe... at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>
> > ________________________________________________
> > Kerberos mailing list Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>
> - Show quoted text -

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list