sso problems

john smith jsmithk08 at gmail.com
Tue Feb 12 11:45:52 EST 2008


hello folks,

i have gone through the mail archive for suggestions but i can't seem
to make headway. i am not sure what i am missing. am i supposed to
export  contents of krb5.keytab and copy them to the  client systems?
i can't even log on to  the kerb server. the ssh session just drops to
the console.

would appreciate some help on this.

thank you,
john

system: etch 32
-----------------
id will
uid=4301(will) gid=4301(will) groups=4301(will)

--------------------------
pam

  grep krb5 /etc/pam.d/common-*
/etc/pam.d/common-account: account  required  pam_krb5.so
minimum_uid=1000 forwardable
/etc/pam.d/common-auth:auth    sufficient      pam_krb5.so
minimum_uid=1000 forwardable
/etc/pam.d/common-password
:password   sufficient pam_krb5.so minimum_uid=1000 forwardable
 /etc/pam.d/common-session:session  optional  pam_krb5.so
minimum_uid=1000 forwardable



---------------
/etc/ssh/sshd_config
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

-----
/etc/ssh/ssh_config

 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

-------------


/etc/krb5.conf
[libdefaults]
        default_realm = FOO.BAR.COM

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
         proxiable = true

[realms]
        FOO.BAR.COM = {
                kdc = foo.bar.com
                admin_server = foo.bar.com
         }

[domain_realm]

[login]
        krb4_convert = true
        krb4_get_tickets = false
[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log
[appdefaults]
               forwardable = true
               pam = {
                   minimum_uid = 1000
               }


--------
/etc/krb5kdc/kdc.conf
 [kdcdefaults]
    kdc_ports = 750,88

[realms]
     FOO.BAR.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth, +forwardable
        kadmind_port = 749
    }

[logging]
         kdc = FILE:/var/log/krb5kdc/kdc.log
         admin_server = FILE:/var/log/krb5kdc/kadmin.log
------------------------------------------
kadmin.local listprinc
K/M at FOO.BAR.COM
 testuser at FOO.BAR.COM
host/test1.bar.com at FOO.BAR.COM
host/test2.bar.com at FOO.BAR.COM
 host/test3.bar.com at FOO.BAR.COM
host/test4.bar.com at FOO.BAR.COM
kadmin/admin at FOO.BAR.COM
 kadmin/changepw at FOO.BAR.COM
kadmin/history at FOO.BAR.COM
kadmin/foo.bar.com at FOO.BAR.COM
 krbtgt/FOO.BAR.COM at FOO.BAR.COM
will/admin at FOO.BAR.COM

i have run ktadd -k /etc/krb5.keytab <hostname> for all the test
clients on the kerbserver foo.bar.com

i can run kinit will/admin on any of the client systems.
--------------------------------
test2:~# ssh will at test1 (fails

test2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: will/admin at FOO.BAR.COM

Valid starting     Expires            Service principal
02/12/08 08:05:45  02/12/08 18:05:45  krbtgt/FOO.BAR.COM at FOO.BAR.COM
        renew until 02/13/08 08:05:42
 02/12/08 08:05:53  02/12/08 18:05:45  host/test1.bar.com at FOO.BAR.COM
        renew until 02/13/08 08:05:42


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
 test2:~#
--------------------
from /var/log/krb5kdc.log on the kerbserver foo.

Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes
{rep=16 tkt=16 ses=16}, will/admin at foo.bar.com for
host/test3.bar.com at foo.bar.com



More information about the Kerberos mailing list