How to get service ticket
Monika Borikar
monikaborikar at hotmail.com
Mon Nov 25 03:26:01 EST 2002
Hi!
We have a problem integrating Windows 2000 KDC with Linux 7.2 via kerberos
authentication. Here are the details of what we have done so far....
Windows 2000 side:
Windows 2000 is our KDC.
Trying to connect two linux systems as client to WIN2K KDC. The linux
systems are oxymoron and kerberos-linux2
DNS is setup on Win2k and time is matching between linux and win2k systems
No modifications done to KDC server settings.
Used Active directory users and computers to create user accounts for users
existing in linux system
Created user accounts for users existing in linux hostname in AD
Created separate user accounts for telnet and rlogin services in AD
Linux side:
The installed rpms are:
krbafs-1.0.9-2
krb5-devel-1.2.2-13
krb5-workstation-1.2.2-13
krb5-server-1.2.2-13
krb5-libs-1.2.2-13
pam_krb5-1.46-1
krbafs-utils-1.0.9-2
krbafs-devel-1.0.9-2
The /etc/krb5.conf contents are
****************************************
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = KERBEROSBLR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 10000
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[appdefaults]
kinit = {
forwardable = true
}
telnet = {
forward = true
encrypt = true
autologin = true
}
rlogin = {
allow_fallback = false
}
[realms]
KERBEROSBLR.COM = {
kdc = kerberos-pc.kerberosblr.com:88
admin_server = kerberos-pc.kerberosblr.com:749
default_domain = kerberosblr.com
}
[domain_realm]
.kerberosblr.com = KERBEROSBLR.COM
kerberosblr.com = KERBEROSBLR.COM
.oxymoron.kerberosblr.com=OXYMORON.KERBEROSBLR.COM
oxymoron.kerberosblr.com=OXYMORON.KERBEROSBLR.COM
.kerberos-pc.kerberosblr.com=KERBEROS-PC.KERBEROSBLR.COM
kerberos-pc.kerberosblr.com=KERBEROS-PC.KERBEROSBLR.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
****************************************
Windows 2000 side:
Mapped computer using ktpass as:
ktpass -princ host/oxymoron.kerberosblr.com at KERBEROSBLR.COM -mapuser
oxymoron -pass * -out oxymoron.keytab
ktpass -princ host/kerberos-linux2.kerberosblr.com at KERBEROSBLR.COM -mapuser
kerberos-linux2 -pass * -out kerberos-linux2.keytab
Securely transferred the keytab files to the respective linux hosts.
Linux side:
ktutil
rkt oxymoron.keytab
wkt /etc/krb5.keytab
q
Did same for other linux system and service account(telnet and rlogin)
tested authentication using kinit -f for a user from linux system
klist -5 displays the following:
Ticket cache: FILE:/tmp/krb5cc_522
Default principal: monica at KERBEROSBLR.COM
Valid starting Expires Service principal
11/25/02 12:58:36 11/25/02 17:32:47 krbtgt/KERBEROSBLR.COM at KERBEROSBLR.COM
We are stuck at this point. We don't know how to obtain service tickets for
rlogin and telnet.
we have tried the following:
telnet -xF localhost
the result looks like
Trying 127.0.0.1...
Connected to kerberos-linux2 (127.0.0.1).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Authentication negotation has failed, which is required for
encryption. Good bye.
We have also tried rlogin
rlogin -x -F localhost
No error message displayed but service ticket is not displayed when klist -5
is used. It still displays only krbtgt
Please help us step-by-step to know where we are wrong and how to obtain
service ticket using kerberos authentication.
Thanks and regards,
Monika
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
More information about the krbdev
mailing list