Unable to SSH with Kerberos user

Patrick Marc Preuß patrick.preuss at gmail.com
Sat Jan 25 20:24:59 EST 2020


Hi Rocky

Now check the server side logs. Seams there is an issue eighter with the user on the server, or the Kerberos setup on this side. 

User needs to be resolveable via „getent passwd“ and server side keytab needs to be aware of the Right services and sshd needs to know the keytab.

HTH 





----

Patrick

> On Jan 25, 2020, at 9:24 AM, Rocky Hotas <rockyhotas at post.com> wrote:
> 
> Sent: Saturday, January 25, 2020 at 5:51 PM
> From: "Patrick Marc Preuß" <patrick.preuss at gmail.com>
> To: "Rocky Hotas" <rockyhotas at post.com>
> Subject: Re: Unable to SSH with Kerberos user
> 
>> Hi rocky 
> 
> Hi :)!
> 
>> Have a look into the ssh somewhere around line 115:
> 
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Server host/xubtest.xexample.intk at XEXAMPLE.INTK not found in Kerberos database
> 
>> gssapi is selected but not ticket grated due to missing service principal for the server.
> 
> Thanks for your patience in looking the logs.
> Maybe you meant "granted". Ok! I executed in server `kadmin.local' and:
> 
> kadmin.local:  addprinc -randkey host/xubtest.xexample.intk
> WARNING: no policy specified for host/xubtest.xexample.intk at XEXAMPLE.INTK; defaulting to no policy
> Principal "host/xubtest.xexample.intk at XEXAMPLE.INTK" created.
> kadmin.local:  addprinc -randkey host/xubcl1.xexample.intk
> WARNING: no policy specified for host/xubcl1.xexample.intk at XEXAMPLE.INTK; defaulting to no policy
> Principal "host/xubcl1.xexample.intk at XEXAMPLE.INTK" created.
> 
> Hope this is correct. Then, I tried again with ssh, and this is the
> result: https://pastebin.com/vDX0Gt67
> 
> The error you mentioned is disappeared, but the behaviour is apparently
> the same (password required and permission denied even with the correct
> password).
> 
>> HTH
> 
> Yes, of course! Those principals must be created.
> 
> Thanks,
> 
> Rocky
> 


More information about the Kerberos mailing list