Problem with kerberos telnet option

keithsjohnston@gmail.com keithsjohnston at gmail.com
Mon Jan 19 23:23:44 EST 2009 

I am trying to setup a test kdc server and workstation.
After I did the setup I can login as user5 using the kerberos
password. But there still seems to be a problem.

When I telnet from station5 (kerberos server) to station6
(workstation) I get the following error [krb5-telnet is on]
-------------------------------
Waiting for encryption to be negotiated...

Negotiation of authentication, which is required for encryption,
has failed.  Good-bye.
---------------------------------------
When I login to either station5 or station6 using the user5 kerberos
password (login or ssh), everything seems to be working. But when I go
from ssh from station6 to station5 it request another login.  I
thought kerberos would only require me to login to station6 and then I
could ssh directly to station5 without re-entering the password.

Following are my krb5kdc.log messages as mapped by step.
Following this are my /etc/krb5.conf, /var/kerberos/krb5kdc/kdc.conf
files and my results from getprincs.

What I am trying to determine is what are these log messages telling
me and do they give an indication of what maybe or is my problem.

####### telnet from station5 to station6
####### telnet -Fxl user5 station6.example.com

Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
user5 at STATION5.EXAMPLE.COM for host/
station6.example.com at STATION5.EXAMPLE.COM
Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
user5 at STATION5.EXAMPLE.COM for host/
station6.example.com at STATION5.EXAMPLE.COM
Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
user5 at STATION5.EXAMPLE.COM for krbtgt/
STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1})
192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1},
user5 at STATION5.EXAMPLE.COM for krbtgt/
STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM




###### Following is the messages in krb5kdc.log after ssh login
###### from a computer outside realm to
###### user5 at station6.example.com

Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
authentication required
Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
authentication required
Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
Jan 19 21:56:22 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
station6.example.com at STATION5.EXAMPLE.COM
Jan 19 21:56:22 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
station6.example.com at STATION5.EXAMPLE.COM


##### this is after starting the ssh login from station6 to station5
##### ssh station5.example.com -l user5
##### password has not been entered

Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
Server not found in Kerberos database
Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
Server not found in Kerberos database
Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
Server not found in Kerberos database
Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
Server not found in Kerberos database
Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
Server not found in Kerberos database
Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782,
user5 at STATION5.EXAMPLE.COM for host/station5 at STATION5.EXAMPLE.COM,
Server not found in Kerberos database

#####after password entry when ssh from station6 to station5

Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.5: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
authentication required
Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.5: NEEDED_PREAUTH: user5 at STATION5.EXAMPLE.COM
for krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM, Additional pre-
authentication required
Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for krbtgt/
STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
Jan 19 21:59:37 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
station5.example.com at STATION5.EXAMPLE.COM
Jan 19 21:59:37 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17
16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16
tkt=16 ses=16}, user5 at STATION5.EXAMPLE.COM for host/
station5.example.com at STATION5.EXAMPLE.COM



##### results of getprincs

K/M at STATION5.EXAMPLE.COM
host/station5.example.com at STATION5.EXAMPLE.COM
host/station6.example.com at STATION5.EXAMPLE.COM
kadmin/admin at STATION5.EXAMPLE.COM
kadmin/changepw at STATION5.EXAMPLE.COM
kadmin/history at STATION5.EXAMPLE.COM
kadmin/station5 at STATION5.EXAMPLE.COM
krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
root/admin at STATION5.EXAMPLE.COM
user5 at STATION5.EXAMPLE.COM


#####following is my /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = STATION5.EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
STATION5.EXAMPLE.COM = {
  kdc = 192.168.1.5:88
  admin_server = 192.168.1.5:749
 }

[domain_realm]
 station5.example.com = STATION5.EXAMPLE.COM
 station6.example.com = STATION5.EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   validate = true
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

##### Following are the results of getprincs

Authenticating as principal root/admin at STATION5.EXAMPLE.COM with
password.
kadmin.local:  getprincs
K/M at STATION5.EXAMPLE.COM
host/station5.example.com at STATION5.EXAMPLE.COM
host/station6.example.com at STATION5.EXAMPLE.COM
kadmin/admin at STATION5.EXAMPLE.COM
kadmin/changepw at STATION5.EXAMPLE.COM
kadmin/history at STATION5.EXAMPLE.COM
kadmin/station5 at STATION5.EXAMPLE.COM
krbtgt/STATION5.EXAMPLE.COM at STATION5.EXAMPLE.COM
root/admin at STATION5.EXAMPLE.COM
user5 at STATION5.EXAMPLE.COM


############Following is my /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
STATION5.EXAMPLE.COM = {
  master_key_type = des3-hmac-sha1
  default_principal_flags = +preauth
#  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-
hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
 }

More information about the Kerberos mailing list