ubuntu16.04 and /etc/krb5.conf
Todd Grayson
tgrayson at cloudera.com
Thu Jun 16 09:42:09 EDT 2016
From what I'm seeing; this is more likely tied to the configuration
requirements for setting up a host to support authentication for ssh via
kerberos. Showing your krb5.conf would help (I suggest replacing internal
hostnames and realms when sharing this kind of info).
Most likely the settings for resolving the KDC through DNS are set
( dns_lookup_realm = true, dns_lookup_kdc = true ) for the reason why you
do not need a realm entry in your krb5.conf.
This discussion explains what needs to be in place for you to be able to
setup client authentication for SSH on ubuntu..
https://help.ubuntu.com/community/SingleSignOn#Client_Configuration
Most specifically; Did you create the host principal in the KDC for the new
host you are trying to access?
On Thu, Jun 16, 2016 at 7:09 AM, Giuseppe Mazza <g.mazza at imperial.ac.uk>
wrote:
> (I apologize for my long email)
>
> I am going to try to provide some feedback:
> #
> # my (not) working scenario...
> #
> 1] Linux kerberos server:
> Ubuntu 14.04.4 LTS \n \l
> ii krb5-kdc 1.12+dfsg-2ub amd64 MIT Kerberos key
> server (KDC)
>
> 2.a] Ubuntu 16.04 linux client, called futurama.doc.ic.ac.uk:
> ii krb5-user 1.13.2+dfsg-5 amd64 Basic programs to
> authenticate using MIT K
>
>
> 2.b] Ubuntu 14.04 linux client, called bee.doc.ic.ac.uk:
> ii krb5-user 1.12+dfsg-2ub amd64 Basic programs to
> authenticate using MIT
>
> 3] same /etc/krb5.conf on both clients, i.e. no hardcoded hostnames of
> my dc's.
>
> 4] I will be using my two accounts, gmazza at IC.AC.UK (user in the Windows
> DC) and gmazza2 at DOC.IC.AC.UK (user in kerberos realm).
>
> The things I will describe work for bee.doc.ic.ac.uk, but not
> for futurama.doc.ic.ac.uk. In particular I have noticed the things below:
>
> - it works:
> gmazza2 at futurama:~$ ssh gmazza2 at futurama
>
> - it does not work:
> gmazza2 at futurama:~$ ssh gmazza at futurama
> gmazza at futurama's password:
> Permission denied, please try again.
> gmazza at futurama's password:
>
> - it works:
> gmazza2 at futurama:~$ export KRB5_TRACE=/dev/stdout
> gmazza2 at futurama:~$ kinit gmazza at IC.AC.UK
> [325] 1466081998.890390: Getting initial credentials for gmazza at IC.AC.UK
> [325] 1466081998.890912: Sending request (169 bytes) to IC.AC.UK
> [325] 1466081998.894103: Resolving hostname icads43.ic.ac.uk.
> [325] 1466081998.896228: Sending initial UDP request to dgram
> 129.31.100.150:88
> [325] 1466081998.899013: Received answer (174 bytes) from dgram
> 129.31.100.150:88
> [325] 1466081998.900138: Response was not from master KDC
> [325] 1466081998.900216: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [325] 1466081998.900281: Processing preauth types: 16, 15, 19, 2
> [325] 1466081998.900308: Selected etype info: etype aes256-cts, salt
> "IC.AC.UKgmazza", params ""
> Password for gmazza at IC.AC.UK: debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
> debug3: Received SSH2_MSG_IGNORE
>
> [325] 1466082004.103603: AS key obtained for encrypted timestamp:
> aes256-cts/1F56
> [325] 1466082004.103637: Encrypted timestamp (for 1466082003.328534):
> plain 301AA011180F32303136303631363133303030335AA1050203050356,
> encrypted
>
> C915E62DB9E0CE17F45BA2FDABB44DEF69EF02DAE0ADF1138204A1D114B27FF0AE505BB410C1FCB00E0F31BFE6939ED3E7B2C68B9C52FDA4
> [325] 1466082004.103654: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [325] 1466082004.103657: Produced preauth for next request: 2
> [325] 1466082004.103668: Sending request (247 bytes) to IC.AC.UK
> [325] 1466082004.106120: Resolving hostname icads39.ic.ac.uk.
> [325] 1466082004.106383: Sending initial UDP request to dgram
> 155.198.63.21:88
> [325] 1466082004.110203: Received answer (88 bytes) from dgram
> 155.198.63.21:88
> [325] 1466082004.111234: Response was not from master KDC
> [325] 1466082004.111262: Received error from KDC: -1765328332/Response
> too big for UDP, retry with TCP
> [325] 1466082004.111268: Request or response is too big for UDP;
> retrying with TCP
> [325] 1466082004.111281: Sending request (247 bytes) to IC.AC.UK (tcp
> only)
> [325] 1466082004.112344: Resolving hostname icads44.ic.ac.uk.
> [325] 1466082004.113626: Initiating TCP connection to stream
> 129.31.47.2:88
> [325] 1466082004.114123: Sending TCP request to stream 129.31.47.2:88
> [325] 1466082004.117400: Received answer (2689 bytes) from stream
> 129.31.47.2:88
> [325] 1466082004.117416: Terminating TCP connection to stream
> 129.31.47.2:88
> [325] 1466082004.118434: Response was not from master KDC
> [325] 1466082004.118467: Processing preauth types: 19
> [325] 1466082004.118475: Selected etype info: etype aes256-cts, salt
> "IC.AC.UKgmazza", params ""
> [325] 1466082004.118480: Produced preauth for next request: (empty)
> [325] 1466082004.118489: AS key determined by preauth: aes256-cts/1F56
> [325] 1466082004.118538: Decrypted AS reply; session key is:
> aes256-cts/5BA4
> [325] 1466082004.118555: FAST negotiation: unavailable
> [325] 1466082004.118578: Initializing FILE:/tmp/krb5cc_868_TQFkWp with
> default princ gmazza at IC.AC.UK
> [325] 1466082004.118635: Storing gmazza at IC.AC.UK ->
> krbtgt/IC.AC.UK at IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [325] 1466082004.118662: Storing config in FILE:/tmp/krb5cc_868_TQFkWp
> for krbtgt/IC.AC.UK at IC.AC.UK: pa_type: 2
> [325] 1466082004.118684: Storing gmazza at IC.AC.UK ->
> krb5_ccache_conf_data/pa_type/krbtgt\/IC.AC.UK\@IC.AC.UK at X-CACHECONF: in
> FILE:/tmp/krb5cc_868_TQFkWp
>
> gmazza2 at futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gmazza at IC.AC.UK
>
> Valid starting Expires Service principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/IC.AC.UK at IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> - it does not work:
> gmazza2 at futurama:~$ ssh gmazza2 at futurama
> [375] 1466082089.872003: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.872158: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.872299: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: -1765328243/Matching credential not found
> [375] 1466082089.872397: Retrieving gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: -1765328243/Matching credential not found
> [375] 1466082089.872489: Retrieving gmazza at IC.AC.UK ->
> krbtgt/IC.AC.UK at IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with result:
> 0/Success
> [375] 1466082089.872507: Starting with TGT for client realm:
> gmazza at IC.AC.UK -> krbtgt/IC.AC.UK at IC.AC.UK
> [375] 1466082089.872611: Retrieving gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: -1765328243/Matching credential not found
> [375] 1466082089.872628: Requesting TGT krbtgt/DOC.IC.AC.UK at IC.AC.UK
> using TGT krbtgt/IC.AC.UK at IC.AC.UK
> [375] 1466082089.872694: Generated subkey for TGS request: aes256-cts/36BD
> [375] 1466082089.872848: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.873071: Encoding request body and padata into FAST request
> [375] 1466082089.873237: Sending request (2863 bytes) to IC.AC.UK
> [375] 1466082089.875549: Resolving hostname icads44.ic.ac.uk.
> [375] 1466082089.876375: Sending initial UDP request to dgram
> 129.31.47.2:88
> [375] 1466082089.878367: Received answer (311 bytes) from dgram
> 129.31.47.2:88
> [375] 1466082089.879374: Response was not from master KDC
> [375] 1466082089.879420: Decoding FAST response
> [375] 1466082089.879497: Request or response is too big for UDP;
> retrying with TCP
> [375] 1466082089.879512: Sending request (2863 bytes) to IC.AC.UK (tcp
> only)
> [375] 1466082089.880644: Resolving hostname icads43.ic.ac.uk.
> [375] 1466082089.881101: Initiating TCP connection to stream
> 129.31.100.150:88
> [375] 1466082089.881629: Sending TCP request to stream 129.31.100.150:88
> [375] 1466082089.883386: Received answer (2758 bytes) from stream
> 129.31.100.150:88
> [375] 1466082089.883408: Terminating TCP connection to stream
> 129.31.100.150:88
> [375] 1466082089.884435: Response was not from master KDC
> [375] 1466082089.884481: Decoding FAST response
> [375] 1466082089.884661: FAST reply key: aes256-cts/C91B
> [375] 1466082089.884730: TGS reply is for gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at IC.AC.UK with session key des-cbc-crc/A617
> [375] 1466082089.884819: TGS request result: 0/Success
> [375] 1466082089.884838: Storing gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.884915: Received TGT for service realm:
> krbtgt/DOC.IC.AC.UK at IC.AC.UK
> [375] 1466082089.884927: Requesting tickets for
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, referrals on
> [375] 1466082089.884955: Generated subkey for TGS request: des-cbc-crc/14B2
> [375] 1466082089.885000: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.885099: Encoding request body and padata into FAST request
> [375] 1466082089.885228: Sending request (2832 bytes) to DOC.IC.AC.UK
> (tcp only)
> [375] 1466082089.885263: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.885710: Initiating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.886276: Terminating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.886314: Resolving hostname kerberos1.doc.ic.ac.uk
> [375] 1466082089.886738: Initiating TCP connection to stream
> 146.169.1.11:88
> [375] 1466082089.887249: Terminating TCP connection to stream
> 146.169.1.11:88
> [375] 1466082089.887270: Resolving hostname kerberos2.doc.ic.ac.uk
> [375] 1466082089.887611: Initiating TCP connection to stream
> 146.169.1.71:88
> [375] 1466082089.888136: Terminating TCP connection to stream
> 146.169.1.71:88
> [375] 1466082089.889673: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.889789: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.889906: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: -1765328243/Matching credential not found
> [375] 1466082089.890009: Retrieving gmazza at IC.AC.UK ->
> krbtgt/DOC.IC.AC.UK at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp with
> result: 0/Success
> [375] 1466082089.890024: Found cached TGT for service realm:
> gmazza at IC.AC.UK -> krbtgt/DOC.IC.AC.UK at IC.AC.UK
> [375] 1466082089.890033: Requesting tickets for
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, referrals on
> [375] 1466082089.890062: Generated subkey for TGS request: des-cbc-crc/B04E
> [375] 1466082089.890113: etypes requested in TGS request: aes256-cts,
> aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts,
> des-cbc-crc, des, des-cbc-md4
> [375] 1466082089.890252: Encoding request body and padata into FAST request
> [375] 1466082089.890394: Sending request (2832 bytes) to DOC.IC.AC.UK
> [375] 1466082089.890446: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.890897: Initiating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.891502: Terminating TCP connection to stream
> 146.169.1.157:88
> [375] 1466082089.891525: Resolving hostname kerberos.doc.ic.ac.uk
> [375] 1466082089.891874: Sending initial UDP request to dgram
> 146.169.1.157:750
> [375] 1466082089.893602: Received answer (861 bytes) from dgram
> 146.169.1.157:750
> [375] 1466082089.894766: Response was not from master KDC
> [375] 1466082089.894812: Decoding FAST response
> [375] 1466082089.894897: FAST reply key: des-cbc-crc/EE43
> [375] 1466082089.894953: TGS reply is for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK with session key aes256-cts/4216
> [375] 1466082089.894987: TGS request result: 0/Success
> [375] 1466082089.894997: Received creds for desired service
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.895012: Storing gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK in FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.895181: Creating authenticator for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, seqnum 683096606, subkey
> aes256-cts/1E3F, session key aes256-cts/4216
> [375] 1466082089.896680: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.896837: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.896953: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.897036: Creating authenticator for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, seqnum 249884086, subkey
> aes256-cts/FDB1, session key aes256-cts/4216
> [375] 1466082089.898397: ccselect can't find appropriate cache for
> server principal host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> [375] 1466082089.898517: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.898630: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898760: Getting credentials gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK using ccache
> FILE:/tmp/krb5cc_868_TQFkWp
> [375] 1466082089.898865: Retrieving gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898946: Creating authenticator for gmazza at IC.AC.UK ->
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK, seqnum 1071734415, subkey
> aes256-cts/0F2B, session key aes256-cts/4216
> gmazza2 at futurama's password:
>
>
> BUT...
> - there are gmazza's tickets now:
> gmazza2 at futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gmazza at IC.AC.UK
>
> Valid starting Expires Service principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/IC.AC.UK at IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 16/06/16 14:01:29 17/06/16 00:00:04 krbtgt/DOC.IC.AC.UK at IC.AC.UK
> renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
> 16/06/16 14:01:29 17/06/16 00:00:04
> host/futurama.doc.ic.ac.uk at DOC.IC.AC.UK
> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
> - it works the second time with the same command "ssh gmazza at futurama"
> gmazza2 at futurama:~$ export KRB5_TRACE=
> gmazza2 at futurama:~$ ssh gmazza at futurama uptime
> 14:02:58 up 21:31, 2 users, load average: 0.01, 0.05, 0.07
>
>
> Sorry for my long email.
> Hope my description makes sense.
>
> Cheers,
> Giuseppe
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list