Single Sign on not working
Basil Kurian
basilkurian at gmail.com
Mon Mar 12 10:24:46 EDT 2012
It was the problem with the hostname set on the ldap2.shadow.com server.
The command 'hostname -f' was not returning Fully Qualified Domain name of
the machine. When I fixed it , the issue with Single sign on is fixed.
This was the erroneous output
[root at ldap2 pam.d]# hostname
ldap2.shadow.com
[root at ldap2 pam.d]# hostname -f
ldap2
Also I had some misconceptions about how Single Sign On works. Now it is
cleared.
[root at krb-client ~]# kinit bkurian
Password for bkurian at SHADOW.COM:
[root at krb-client ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bkurian at SHADOW.COM
Valid starting Expires Service principal
03/06/12 12:50:38 03/07/12 12:50:38 krbtgt/SHADOW.COM at SHADOW.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at krb-client ~]#
[root at krb-client ~]# ssh bkurian at krb-ldap.shadow.com
Last login: Tue Mar 6 12:50:19 2012 from krb-client.shadow.com
[bkurian at krb-ldap ~]$
Thanks a lot for all the help.
On 12 March 2012 18:20, Jean-Christophe Gay <jean-christophe.gay at dauphine.fr
> wrote:
> Le Mon, 5 Mar 2012 20:27:42 +0530,
> Basil Kurian <basilkurian at gmail.com> a écrit :
>
> > > Kerberos doesn't remember credentials that way. You must first
> > > obtain a TGT -- either manually using `kinit bkurian at SHADOW.COM`,
> > > or by configuring the client system to do this upon logging in
> > > locally.
> >
> > [root at client ~]# kdestroy
> > kdestroy: No credentials cache found while destroying cache
> > [root at client ~]#
> > [root at client ~]#
> > [root at client ~]# kinit bkurian
> > Password for bkurian at SHADOW.COM:
> > [root at client ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: bkurian at SHADOW.COM
> >
> > Valid starting Expires Service principal
> > 03/05/12 20:25:09 03/06/12 20:25:09 krbtgt/SHADOW.COM at SHADOW.COM
> > renew until 03/05/12 20:25:09
> >
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
>
> Authentication is working, you can get a ticket. After your ssh atempt,
> what is the result of klist on that machine ?
>
> And, what is the hostname of the ssh server ?
>
> This problem may come from 3 problems (or more) :
> 1 - You didn't create the host/ldap2.shadow.com at SHADOW.COM principal
> correctly.
> 2 - You didn't dispatch the correct keytab on that server.
> 3 - The hostname of that server isn't matching the principal name in
> the KDC database.
>
> Also, can you, after a succesfull ssh on ldap2.shadow.com obtain a TGT
> from the KDC with that user ?
>
> --
> Jean-Christophe Gay -- Université Paris Dauphine
> Responsable de la Sécurité des Systèmes d'Information
> Tel : 01 44 05 45 04
> jean-christophe.gay at dauphine.fr
>
--
Regards
Basil
More information about the Kerberos
mailing list