"Client not found in database: [EMAIL PROTECTED]: No such entry in the database"
Ask the Heimdal people, what does this message mean? With cross realm, the server's realm should not require any knowlwdge of the user principal and should not require it to be in its database.
Priit Randla wrote:
Hello,
I already posted following message to heimdal-discuss mailinglist, but, as the problem involves also MIT Kerberos 5, I'll try my luck here also...
Maybe somebody here is able to help me with my problem involving Heimdal, MIT and openssh... Currently we've got a mixed Kerberos 5 infrastructure in place - MIT Kerberos5 + Windows AD stuff. Usual stuff - user data on LDAP, password verification with Kerberos. Our applications are relying on ticket-forwarding extensively, so whatever we do, ticket forward has to work. Now, as we're changing our Linux-platform to SuSe, we're going to migrate to Heimdal. Unfortunately ;-) until we're finished with migration, we've got to run both MIT and Heimdal clients and kdc's - so I've got to implement some kind of cross realm trust between our 3 Kerberos realms (MIT, Heimdal, AD). As a first step, i'd like to get cross-realm authentication to work for openssh with gssapi.
What I've got: MIT kdc and clients are version 1.3.4 Heimdal kdc and clients are 0.6.1rc3 as found in SuSe 9.0 I tried various versions of openssh, currently i've got latest-and-greatest 3.9p1 with patches for #918 and #922 from bugzilla on both MIT and Heimdal based computers. Let's say I've got realms: AAA default on MIT based machines, BBB on Heimdal ones.
What I've done: 1. Installed Heimdal kdc, created realm BBB and some principals for users and involved hosts. 2. Battled pam on SuSe to obtain TGT on login, verified, that ticket forward works within realm BBB. 3. Created principals for cross-realm authentication: krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] on both MIT and Heimdal kdc's, verified that kvno's, enctypes and passwords are all the same. 4. Verified, that both ssh_config contains options GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes ; sshd_config has GSSAPIAuthentication yes. 5. Verified that I can do kgetcred krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED], tgt for [EMAIL PROTECTED] is forwardable, others aren't.
Now, when I attempt ssh connection as [EMAIL PROTECTED] on 172.26.209.15 using MIT to machine srv1.bbb which uses Heimdal, i got following debug information: ... debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Miscellaneous failure Requested effective lifetime is negative or too short ( -> Kerberos error KRB5KDC_ERR_NEVER_VALID ) debug1: Trying to start again .... and ssh prompts for a password.
MIT kdc (AAA) log says: Feb 1 10:25:39 [EMAIL PROTECTED] krb5kdc[20593]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] Feb 1 10:26:35 [EMAIL PROTECTED] krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] Feb 1 10:26:35 [EMAIL PROTECTED] krb5kdc[20593]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.26.209.15: ISSUE: authtime 1107246339, etypes {rep=1 tkt=1 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Heimdal kdc (BBB) logs says: TGS-REQ [EMAIL PROTECTED] from IPv4:172.26.209.15 for host/[EMAIL PROTECTED] [renewable, forwardable] Client not found in database: [EMAIL PROTECTED]: No such entry in the database cross-realm AAA -> BBB sending 131 bytes to IPv4:172.26.209.15
krb5.conf has both realms described on all involved computers and ticket forward works for AAA->AAA and BBB->BBB.
Where should I look next? Anything? Kindly please ... :-).
Priit
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos