Wilson, Michael <[EMAIL PROTECTED]> wrote: > ***KLIST -kte*** > [abc]:/var/adm/syslog # klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 6 05/08/07 16:12:33 host/[EMAIL PROTECTED] (DES cbc mode with > RSA-MD5) > > ***HOSTS FILE*** > [abc]:/etc $ cat hosts > # > 10.9.1.1 abc > 127.0.0.1 localhost loopback
Well, I suspect that should be using a FQDN and not just "host/abc" does kinit -kt /etc/krb5.keytab host/abc actually work? (you should not get any messages, and klist should show tickets for the host/abc principal.) > ***KRB5.CONF*** > [abc]:/etc # cat krb5.conf > [logging] > default = FILE:/var/adm/krb5lib.log > kdc = FILE:/var/adm/krb5kdc.log > admin_server = FILE:/var/adm/kKDCmind.log > > [libdefaults] > ticket_liftetime = 24000 > default_realm = KDC.DIEBOLD.COM Your Windows AD domain is called KDC.DIEBOLD.COM ? That doesn't sound right. > dns_lookup_realm = false > dns_lookup_kdc = true > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 Delete the above two lines. Hardcoding enctypes is a bad idea and will cause you much pain in the future. > The keytab was added earlier and is now in place. > After I read your email I reviewed a few things and here is where we > are now: > > We can telnet into 'abc' and we get authenticated via active > directory. When we use ssh to try this we get rejected. Authenticated using Kerberos tickets? OR via typing in a password? What EXACT error message do you get from SSH? And is the error message actually from SSH itself? Or from whatever PAM type stuff that hpux uses? > We have tried to find results for this on the internet, but have had > No viable luck. try the following: kdestroy kinit -f -5 -p <user>@<REALM> klist -ef ssh -vvv -o "GSSAPIAuthentication yes" <machine> (Ctrl-C it if you get a password prompt or if it doesn't work.) klist -ef (yes, again, and look for a host/* ticket) And what does your sshd_config file look like? <<CDC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos