sso problems

Richard E. Silverman res at qoxp.net
Tue Feb 12 15:47:16 EST 2008 

> 
> hello folks,
> i have gone through the mail archive for suggestions but i can't seem
> to make headway. i am not sure what i am missing. am i supposed to
> export  contents of krb5.keytab and copy them to the  client systems?
> i can't even log on to  the kerb server. the ssh session just drops to
> the console.
> 
> would appreciate some help on this.
> 
> thank you,
> john
> 
> system: etch 32
> -----------------
> id will
> uid=4301(will) gid=4301(will) groups=4301(will)
> 
> --------------------------
> pam
> 
>   grep krb5 /etc/pam.d/common-*
> /etc/pam.d/common-account: account  required  pam_krb5.so
> minimum_uid=1000 forwardable
> /etc/pam.d/common-auth:auth    sufficient      pam_krb5.so
> minimum_uid=1000 forwardable
> /etc/pam.d/common-password
> :password   sufficient pam_krb5.so minimum_uid=1000 forwardable
>  /etc/pam.d/common-session:session  optional  pam_krb5.so
> minimum_uid=1000 forwardable
> 
> 
> 
> ---------------
> /etc/ssh/sshd_config
> KerberosAuthentication yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> -----
> /etc/ssh/ssh_config
> 
>  GSSAPIAuthentication yes
>  GSSAPIDelegateCredentials yes
> 
> -------------
> 
> 
> /etc/krb5.conf
> [libdefaults]
>         default_realm = FOO.BAR.COM
> 
> # The following krb5.conf variables are only for MIT Kerberos.
>         krb4_config = /etc/krb.conf
>         krb4_realms = /etc/krb.realms
>         kdc_timesync = 1
>         ccache_type = 4
>         forwardable = true
>          proxiable = true
> 
> [realms]
>         FOO.BAR.COM = {
>                 kdc = foo.bar.com
>                 admin_server = foo.bar.com
>          }
> 
> [domain_realm]
> 
> [login]
>         krb4_convert = true
>         krb4_get_tickets = false
> [logging]
>         kdc = FILE:/var/log/krb5kdc.log
>         admin_server = FILE:/var/log/kadmin.log
>          default = FILE:/var/log/krb5lib.log
> [appdefaults]
>                forwardable = true
>                pam = {
>                    minimum_uid = 1000
>                }
> 
> 
> --------
> /etc/krb5kdc/kdc.conf
>  [kdcdefaults]
>     kdc_ports = 750,88
> 
> [realms]
>      FOO.BAR.COM = {
>         database_name = /var/lib/krb5kdc/principal
>         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
>          acl_file = /etc/krb5kdc/kadm5.acl
>         key_stash_file = /etc/krb5kdc/stash
>         kdc_ports = 750,88
>         max_life = 10h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         master_key_type = des3-hmac-sha1
>          supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des:normal des:v4 des:norealm des:onlyrealm des:afs3
>         default_principal_flags = +preauth, +forwardable
>         kadmind_port = 749
>     }
> 
> [logging]
>          kdc = FILE:/var/log/krb5kdc/kdc.log
>          admin_server = FILE:/var/log/krb5kdc/kadmin.log
> ------------------------------------------
> kadmin.local listprinc
> K/M at FOO.BAR.COM
>  testuser at FOO.BAR.COM
> host/test1.bar.com at FOO.BAR.COM
> host/test2.bar.com at FOO.BAR.COM
>  host/test3.bar.com at FOO.BAR.COM
> host/test4.bar.com at FOO.BAR.COM
> kadmin/admin at FOO.BAR.COM
>  kadmin/changepw at FOO.BAR.COM
> kadmin/history at FOO.BAR.COM
> kadmin/foo.bar.com at FOO.BAR.COM
>  krbtgt/FOO.BAR.COM at FOO.BAR.COM
> will/admin at FOO.BAR.COM
> 
> i have run ktadd -k /etc/krb5.keytab <hostname> for all the test
> clients on the kerbserver foo.bar.com
> 
> i can run kinit will/admin on any of the client systems.
> --------------------------------
> test2:~# ssh will at test1 (fails
> 
> test2:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: will/admin at FOO.BAR.COM
> 
> Valid starting     Expires            Service principal
> 02/12/08 08:05:45  02/12/08 18:05:45  krbtgt/FOO.BAR.COM at FOO.BAR.COM
>         renew until 02/13/08 08:05:42
>  02/12/08 08:05:53  02/12/08 18:05:45  host/test1.bar.com at FOO.BAR.COM
>         renew until 02/13/08 08:05:42

Your /admin principal will typically not be authorized for login to you
Unix account; the default rule authorizes foo at REALM to access the Unix
account "foo".  Use your regular principal, or if you really want to log
in with your admin principal, add both your regular and admin principals
to ~/.k5login on the server.

> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>  test2:~#
> --------------------
> from /var/log/krb5kdc.log on the kerbserver foo.

> Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes
> {rep=16 tkt=16 ses=16}, will/admin at foo.bar.com for
> host/test3.bar.com at foo.bar.com

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list