Single Sign on not working

[Jean-Christophe Gay]

Le Mon, 5 Mar 2012 20:27:42 +0530,
Basil Kurian <basilkurian at gmail.com> a écrit :

> > Kerberos doesn't remember credentials that way. You must first
> > obtain a TGT -- either manually using `kinit bkurian at SHADOW.COM`,
> > or by configuring the client system to do this upon logging in
> > locally.
> 
> [root at client ~]# kdestroy
> kdestroy: No credentials cache found while destroying cache
> [root at client ~]#
> [root at client ~]#
> [root at client ~]# kinit bkurian
> Password for bkurian at SHADOW.COM:
> [root at client ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: bkurian at SHADOW.COM
> 
> Valid starting     Expires            Service principal
> 03/05/12 20:25:09  03/06/12 20:25:09  krbtgt/SHADOW.COM at SHADOW.COM
>     renew until 03/05/12 20:25:09
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached

Authentication is working, you can get a ticket. After your ssh atempt,
what is the result of klist on that machine ?

And, what is the hostname of the ssh server ?

This problem may come from 3 problems (or more) :
1 - You didn't create the host/ldap2.shadow.com at SHADOW.COM principal
correctly.
2 - You didn't dispatch the correct keytab on that server.
3 - The hostname of that server isn't matching the principal name in
the KDC database.

Also, can you, after a succesfull ssh on ldap2.shadow.com obtain a TGT
from the KDC with that user ?

-- 
Jean-Christophe Gay -- Université Paris Dauphine
Responsable de la Sécurité des Systèmes d'Information
Tel : 01 44 05 45 04
jean-christophe.gay at dauphine.fr