CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
Damo Gets
dgetsman at amirehab.net
Mon Mar 24 09:55:42 EDT 2008
I have now verified that I have connections working between the two
test machines. Unfortunately it appears that I can only connect from
my server/kdc to the client machine utilizing kerberized services. I
am able to create and destroy tickets on each machine without any
problems. Currently I'm testing with the kerberized rsh & rlogin
clients found in the klogin, eklogin, and kshell packages for the
distributions.
I have now cached tickets on both machines for my primary and
secondary logins (just in case I'm not understanding something
correctly). ie on each machine I have cached tickets for
myuser at MYDOMAIN.COM and myuser/admin at MYDOMAIN.COM. Each machine has
the following in the /etc/krb5.keytab files:
SERVER:
KVNO Principal
-----------------------------------------
3 host/myclient.mydomain.com at MYDOMAIN.COM
3 host/myclient.mydomain.com at MYDOMAIN.COM
3 host/myclient.mydomain.com at MYDOMAIN.COM
3 host/myclient.mydomain.com at MYDOMAIN.COM
CLIENT:
KVNO Principal
-----------------------------------------
8 host/myclient.mydomain.com at MYDOMAIN.COM
8 host/myclient.mydomain.com at MYDOMAIN.COM
8 host/myclient.mydomain.com at MYDOMAIN.COM
8 host/myclient.mydomain.com at MYDOMAIN.COM
4 host/myserver at mydomain.com@MYDOMAIN.COM
4 host/myserver at mydomain.com@MYDOMAIN.COM
4 host/myserver at mydomain.com@MYDOMAIN.COM
4 host/myserver at mydomain.com@MYDOMAIN.COM
When attempting a connection from the client to the server I receive
the following error:
foo at myclient:~$ rlogin -l myclient myserver
Couldn't authenticate to server: Server rejected authentication
(during sendauth exchange)
Server returned error code 60 (Generic error (see e-text))
Error text sent from server: Key table entry not found
Trying krb4 rlogin...
krb_sendauth failed: You have no tickets cached
trying normal rlogin (/usr/bin/netkit-rlogin)
exec: No such file or directory
foo at myclient:~$
Any assistance would be greatly appreciated. I'm pretty sure that
after this point I will be able to get on with kerberizing some other
machines on the network; it'll be nice to be able to test this on more
than just the two machines.
-Damon Getsman
More information about the Kerberos
mailing list