Hi guys, I am still having trouble with some authentication issues using
the AD kerberos server. I can ssh to my Debian/Etch machine using
Active Directory credentials, but I cannot login with a Kerberos ticket.
kinit works and klist shows the following:
nfsv4etch:~# kinit rohitm
Password for [EMAIL PROTECTED]:
nfsv4etch:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/06/06 17:48:12 10/07/06 03:49:59
krbtgt/[EMAIL PROTECTED]
renew until 10/07/06 17:48:12
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Kerberized telnet does not seem to work.
nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
Trying 127.0.1.1...
Connected to nfsv4etch (127.0.1.1).
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.
Also if I type ssh [EMAIL PROTECTED], it prompts me for my password.
I was hoping it would just let me in with my ticket.
I have set the following options in /etc/ssh/sshd_config
KerberosAuthentication yes
#KerberosGetAFSToken yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
and /home/rohitm/.k5login contains the user "[EMAIL PROTECTED]"
The following packages are installed:
ii krb5-clients 1.4.4-1 Secure replacements
for ftp, telnet and rsh
ii krb5-config 1.10 Configuration files
for Kerberos Version 5
ii krb5-rsh-server 1.4.4-1 Secure replacements
for rshd and rlogind usi
ii krb5-telnetd 1.4.4-1 Secure telnet server
supporting MIT Kerberos
ii krb5-user 1.4.4-1 Basic programs to
authenticate using MIT Ker
ii libkrb5-17-heimdal 0.7.2.dfsg.1-4 Libraries for Heimdal
Kerberos
ii libkrb53 1.4.4-1 MIT Kerberos runtime
libraries
ii libpam-krb5 2.0-1 PAM module for MIT
Kerberos
I also created a user named "nfsv4etch" in the Active Directory and
did the following to generate an /etc/krb5.keytab file.
Z:\krb>ktpass -princ host/[EMAIL PROTECTED]
-mapuser nfsv4etch -crypto DES-CBC-MD5 -pass password -ptype
KRB5_NT_PRINCIPAL -out unix
machine.keytab2
Targeting domain controller: fozzie.ad.engr.uconn.edu
Using legacy password setting method
Successfully mapped host/nfsv4etch.engr.uconn.edu to nfsv4etch.
Key created.
Output keytab to unixmachine.keytab2:
Keytab version: 0x502
keysize 74 host/[EMAIL PROTECTED] ptype 1
(KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8
(0xceae025dfe455d49)
Can anyone think of what I am missing? I was hoping this would be easy!
Thanks in advance for any help.
Rohit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
