pamkrbval: KDC policy rejects request for this entry

Douglas E. Engert deengert at anl.gov
Wed Aug 27 15:30:36 EDT 2008 


Markus Moeller wrote:
> Can you check that AD and your HP system are time synchronised ?  Can you do 
> a kinit unix_client with the correct password ? Do you have the kvno binary 
> on the HP platform ? If so can you do a kvno 
> host/unix_client.domain.host.com and compare the number with the one in the 
> keytab ?
> 
> Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?

This could also be something to do with the use of the 197001010000Z
in the till field if the AS_REQ This was not in RFC 1510, but is in 4120.
It looks like the HP is adding this. AD 2003 may not accept it. I don't
have any client test code to see if this is an AD problem.

> 
> Regards
> Markus
> 
> 
> <ricurtis at gmail.com> wrote in message 
> news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668 at 56g2000hsm.googlegroups.com...
> I have tried everyones suggestions, but no joy - although I think I
> can narrow down the problem somewhat...
> 
> After changing the default_t*_enctypes to be "RC4-HMAC" (and also
> removing the lines altogether), I still get the same error...
> 
> In the Windows security log on the domain controller, I have a Failure
> Audit with a result code from the request of 0xC which from some
> searching at Microsoft suggests:
>     Requested start time is later than end time
> or Workstation login restrictions..
> 
>>From a packet capture using Wireshark, the AS-REQ packet there is an
> entry "till: 1970-01-01 00:00:00 (UTC)"
> It looks as though the requested lifetime of the packet here is in the
> past...
> 
> Any suggestions around that?
> 
> Regards
> 
> Richard
> 
> 
> 
> On 26 Aug, 20:32, "Richard Curtis" <ricur... at gmail.com> wrote:
>> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>>
>> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
>> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
>> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
>> with Microsoft Windows 2000 and 2003.
>>
>> I will try tomorrow when I am back in the office by setting the
>> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
>> configuration guide I am following has a sample krb5.conf and only
>> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
>> is no mention of RC4 in the whole document.
>> I will try removing default_*_enctypes altogether aswell, and failing
>> that, will have a go with DEC encryption only..
>>
>> If this turns out to be the solution, I will be over the moon... this
>> has been dragging on for some time :)
>>
>> I will post back tomorrow with my results.. thanks for the replies so far 
>> guys.
>>
>> Regards
>>
>> Richard
>>
>>
>>
>> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua... at moeller.plus.com> 
>> wrote:
>>> Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your 
>>> configuration
>>> assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based 
>>> on
>>> MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be 
>>> DES
>>> only. Secondly did you change the password of the unix_client user ? If 
>>> not
>>> please try to change the password once and re-extract the keytab.
>>> Markus
>>> "Richard Curtis" <ricur... at gmail.com> wrote in message
>>> news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
>>>> Hi,
>>>> I am trying to get an HPUX 11i box to authenticate against our
>>>> active directory (Windows 2003r2) domain with kerberos but I am
>>>> getting nowhere fast.
>>>> As per the docs I have, I have created a user account in active
>>>> directory, then used "ktpass -princ
>>>> host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
>>>> -pass <pass> -out c:\krb5.keytab"
>>>> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
>>>> keep getting "KDC policy rejects request for this entry"
>>>> I am guessing this is more of a Windows/AD config issue, but thougt
>>>> someone here might have seen this?
>>>> cat /etc/krb5.conf
>>>> [libdefaults]
>>>> default_realm = DOMAIN.HOST.COM
>>>> default_tgs_enctypes = DES-CBC-CRC
>>>> default_tkt_enctypes = DES-CBC-CRC
>>>> ccache_type = 2
>>>> ticket_liftetime = 24000
>>>> #dns_lookup_kdc = true
>>>> [realms]
>>>> DOMAIN.HOST.COM = {
>>>> kdc = 2003_dc.domain.host.com
>>>> kpasswd_server = 2003_dc.domain.host.com:464
>>>> }
>>>> [domain_realm]
>>>> domain.host.com = DOMAIN.HOST.COM
>>>> .domain.host.com = DOMAIN.HOST.COM
>>>> [logging]
>>>> default = FILE:/var/adm/krb5lib.log
>>>> kdc = FILE:/var/adm/krb5kdc.log
>>>> admin_server = FILE:/var/adm/kKDCmind.log
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> }
>>>> unix_client:/var/adm/syslog >pamkrbval -v
>>>> Validating the pam configuration files
>>>> ---------- --- --- ------------- -----
>>>> Validating the /etc/pam.conf file
>>>> [LOG] : The /etc/pam.conf files permissions are fine
>>>> [LOG] : Opened : /etc/pam.conf
>>>> [PASS] : The validation of config file: /etc/pam.conf passed
>>>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not 
>>>> done
>>>> as libpam_updbe library is not configured
>>>> Validating the kerberos config file
>>>> ---------- --- -------- ------ -----
>>>> [PASS] : Initialization of kerberos passed
>>>> Connecting to default Realm
>>>> ---------- -- ------- -----
>>>> [LOG] : The default realm is : DOMAIN.HOST.COM
>>>> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
>>>> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
>>>> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
>>>> [PASS] : Default Realm is issuing tickets
>>>> Validating the keytab entry for the host service principal
>>>> ---------- --- ------ ----- --- --- ---- ------- ---------
>>>> [LOG] : Host unix_client, aka unix_client.domain.host.com.
>>>> [LOG] : The default keytab name is : /etc/krb5.keytab
>>>> [LOG] : Keytab file /etc/krb5.keytab is present
>>>> [LOG] : Permissions on /etc/krb5.keytab are correct.
>>>> Keytab entry
>>>> Principal: host
>>>> Host : unix_client.domain.host.com
>>>> Realm : DOMAIN.HOST.COM
>>>> Version : 23
>>>> [LOG] : Pinging KDC to verify whether
>>>> host/unix_client.domain.host.... at DOMAIN.HOST.COM exists
>>>> pamkrbval: KDC policy rejects request for this entry
>>>> [WARNING] : The keytab entry for the host service principal
>>>> host/unix_client.domain.host.... at DOMAIN.HOST.COM is invalid
>>>> [FAIL] : The keytab validation failed
>>>> Validating the rc_host file for ownership
>>>> -------- ------ ---- -------- ------ -----
>>>> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
>>>> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>>>> unix_client:/var/adm/syslog >ktutil -i
>>>> ktutil: rkt /etc/krb5.keytab
>>>> ktutil: list
>>>> slot KVNO Principal
>>>> ---- ---- ---------------------------------------------------------------------
>>>> 1 23 host/unix_client.dom... at DOMAIN.HOST.COM
>>>> ktutil:
>>>> ktutil: unix_client:/var/adm/syslog >
>>>> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
>>>> host/unix_client.domain.host.com
>>>> kinit(v5): KDC policy rejects request while getting initial credentials
>>>> Thanks in advance for any help
>>>> Regards
>>>> Richard
>>>> ________________________________________________
>>>> Kerberos mailing list Kerbe... at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>> ________________________________________________
>>> Kerberos mailing list Kerbe... at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>> - Show quoted text -
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list