Kerberos Single sign on not working
kannan rbk
kannanrbk.r at gmail.com
Tue May 28 00:19:14 EDT 2013
Hi,
I think i am little short on the problem. Thanks for your useful
debugging info. I am trying to connect the host "kannan" but in kerberos
log it tries to connect "dineshbabu". I ping the host address "dineshbabu"
it was not resolved. I also added the host entry for "kannan" /etc/hosts.
Here is the kerberos trace log
Getting credentials kumar at ZMEDIA.ULTRASOUND.COM -> host/
dineshbabu.zmedia.ultrasound.com at ZMEDIA.ULTRASOUND.COM using ccache
FILE:/tmp/krb5cc_845_F19364
Retrieving kumar at ZMEDIA.ULTRASOUND.COM -> host/
dineshbabu.zmedia.ultrasound.com at ZMEDIA.ULTRASOUND.COM from
FILE:/tmp/krb5cc_845_F19364 with result: -1765328243/Matching credential
not found
Retrieving kumar at ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM from
FILE:/tmp/krb5cc_845_F19364 with result: 0/success
Found cached TGT for service realm: kumar at ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM
Requesting tickets for host/
dineshbabu.zmedia.ultrasound.com at ZMEDIA.ULTRASOUND.COM, referrals on
Generated subkey for TGS request: aes256-cts/E32A
etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
rc4-hmac
Sending request (784 bytes) to ZMEDIA.ULTRASOUND.COM
Sending initial UDP request to dgram 192.168.15.201:88
Received answer from dgram 192.168.15.201:88
Response was not from master KDC
TGS reply is for kumar at ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM with session key aes256-cts/8082
TGS request result: 0/success
Removing kumar at ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM from FILE:/tmp/krb5cc_845_F19364
Storing kumar at ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM in FILE:/tmp/krb5cc_845_F19364
Following referral TGT krbtgt/ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM
Requesting tickets for host/
dineshbabu.zmedia.ultrasound.com at ZMEDIA.ULTRASOUND.COM, referrals on
Generated subkey for TGS request: aes256-cts/91E3
etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
rc4-hmac
Sending request (804 bytes) to ZMEDIA.ULTRASOUND.COM
Sending initial UDP request to dgram 192.168.15.201:88
Received answer from dgram 192.168.15.201:88
Response was not from master KDC
TGS reply is for kumar at ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULTRASOUND.COM at ZMEDIA.ULTRASOUND.COM with session key aes256-cts/C121
TGS request result: 0/success
Regards,
Bharathi kannan R
On Tue, May 28, 2013 at 6:11 AM, Greg Hudson <ghudson at mit.edu> wrote:
> I don't know what's wrong, but I have some ideas for gathering more
> information. From what you've posted, it appears that:
>
> 1. kinit can send an AS requests to the realm's KDC (because kinit works)
> 2. kinit can receive an AS reply from the realm's KDC (because kinit works)
> 3. ssh can send a TGS request to the realm's KDC (because the request
> appears in the log)
> 4. ssh cannot receive a TGS reply from the realm's KDC (because of the
> error message in the ssh -v output).
>
> Some things which might help determine what's wrong:
>
> * Set the KRB5_TRACE environment variable to a filename before running
> kinit and then ssh. Comparing the resulting trace output may determine
> if ssh is somehow behaving differently from kinit.
>
> * Run "kvno host/remote-hostname" to see if you can successfully make
> TGS requests from a program other than ssh.
>
> On 05/27/2013 04:02 PM, kannan rbk wrote:
> > Dear team,
> > I am using Kerberos 5. I configured single sign on in ssh. I had a ticket
> > but I cannot login without password.
> > I changed "GSSAPIAuthentication yes" in sshd_config and
> > "GSSAPIAuthentication yes,GSSDelegateCredentials yes" in ssh_config.
> > Error Trace From "ssh -v"
> > Cannot connect any kdc server
> >
> > It's repeated 3 times. In Kerberos server log, it requests TGS request 4
> > times. I am trying to ssh centos machine from Ubuntu. Kinit is working
> > fine. I am able to login without password from centos to Ubuntu.
> >
> > Please help me.
> >
> > Regards,
> > Bharathi Kannan R
> >
> >
>
>
--
Regards,
Bharathikannan R
More information about the Kerberos
mailing list