How to get service ticket

Alberto Patino jalbertop at aranea.com.mx
Mon Nov 25 13:39:00 EST 2002 

Are you using the kerberized version of telnet?

The service ticket is solicited by the kerberized telnet client (telnet) 
to the KDC.
The kerberized telnet server (telnetd) decrypt the TGS with the key stored
in the keytab file you updated.

If you are using redhat linux you need to check the /etc/inetd.d
directory and enable the kerberized version of the telnet daemon.






Monika Borikar wrote:

> Hi!
>
> We have a problem integrating Windows 2000 KDC with Linux 7.2 via 
> kerberos authentication. Here are the details of what we have done so 
> far....
>
> Windows 2000 side:
>
> Windows 2000 is our KDC.
> Trying to connect two linux systems as client to WIN2K KDC. The linux 
> systems are oxymoron and kerberos-linux2
> DNS is setup on Win2k and time is matching between linux and win2k 
> systems
> No modifications done to KDC server settings.
> Used Active directory users and computers to create user accounts for 
> users existing in linux system
> Created user accounts for users existing in linux hostname in AD
> Created separate user  accounts for telnet and rlogin services in AD
>
> Linux side:
>
> The installed rpms are:
>
> krbafs-1.0.9-2
> krb5-devel-1.2.2-13
> krb5-workstation-1.2.2-13
> krb5-server-1.2.2-13
> krb5-libs-1.2.2-13
> pam_krb5-1.46-1
> krbafs-utils-1.0.9-2
> krbafs-devel-1.0.9-2
>
> The /etc/krb5.conf contents are
> ****************************************
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = KERBEROSBLR.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> clockskew = 10000
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
>
> [appdefaults]
> kinit = {
> forwardable = true
> }
> telnet = {
> forward = true
> encrypt = true
> autologin = true
> }
> rlogin = {
> allow_fallback = false
> }
> [realms]
>
> KERBEROSBLR.COM = {
> kdc = kerberos-pc.kerberosblr.com:88
> admin_server = kerberos-pc.kerberosblr.com:749
> default_domain = kerberosblr.com
> }
>
> [domain_realm]
> .kerberosblr.com = KERBEROSBLR.COM
> kerberosblr.com = KERBEROSBLR.COM
> .oxymoron.kerberosblr.com=OXYMORON.KERBEROSBLR.COM
> oxymoron.kerberosblr.com=OXYMORON.KERBEROSBLR.COM
> .kerberos-pc.kerberosblr.com=KERBEROS-PC.KERBEROSBLR.COM
> kerberos-pc.kerberosblr.com=KERBEROS-PC.KERBEROSBLR.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [pam]
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = true
> ****************************************
>
> Windows 2000 side:
>
> Mapped computer using ktpass as:
>
> ktpass -princ host/oxymoron.kerberosblr.com at KERBEROSBLR.COM -mapuser 
> oxymoron -pass * -out oxymoron.keytab
> ktpass -princ host/kerberos-linux2.kerberosblr.com at KERBEROSBLR.COM 
> -mapuser kerberos-linux2 -pass * -out kerberos-linux2.keytab
>
> Securely transferred the keytab files to the respective linux hosts.
>
> Linux side:
>
> ktutil
> rkt oxymoron.keytab
> wkt /etc/krb5.keytab
> q
>
> Did same for other linux system and service account(telnet and rlogin)
>
> tested authentication using kinit -f for a user from linux system
> klist -5 displays the following:
>
> Ticket cache: FILE:/tmp/krb5cc_522
> Default principal: monica at KERBEROSBLR.COM
>
> Valid starting     Expires            Service principal
> 11/25/02 12:58:36  11/25/02 17:32:47  
> krbtgt/KERBEROSBLR.COM at KERBEROSBLR.COM
>
> We are stuck at this point. We don't know how to obtain service 
> tickets for rlogin and telnet.
>
> we have tried the following:
>
> telnet -xF localhost
>
> the result looks like
>
> Trying 127.0.0.1...
> Connected to kerberos-linux2 (127.0.0.1).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
>
> Authentication negotation has failed, which is required for
> encryption.  Good bye.
>
> We have also tried rlogin
>
> rlogin -x -F localhost
>
> No error message displayed but service ticket is not displayed when 
> klist -5 is used. It still displays only krbtgt
>
> Please help us step-by-step to know where we are wrong and how to 
> obtain service ticket using kerberos authentication.
>
> Thanks and regards,
> Monika
>
> _________________________________________________________________
> The new MSN 8: advanced junk mail protection and 2 months FREE* 
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list