> > hello folks, > i have gone through the mail archive for suggestions but i can't seem > to make headway. i am not sure what i am missing. am i supposed to > export contents of krb5.keytab and copy them to the client systems? > i can't even log on to the kerb server. the ssh session just drops to > the console. > > would appreciate some help on this. > > thank you, > john > > system: etch 32 > ----------------- > id will > uid=4301(will) gid=4301(will) groups=4301(will) > > -------------------------- > pam > > grep krb5 /etc/pam.d/common-* > /etc/pam.d/common-account: account required pam_krb5.so > minimum_uid=1000 forwardable > /etc/pam.d/common-auth:auth sufficient pam_krb5.so > minimum_uid=1000 forwardable > /etc/pam.d/common-password > :password sufficient pam_krb5.so minimum_uid=1000 forwardable > /etc/pam.d/common-session:session optional pam_krb5.so > minimum_uid=1000 forwardable > > > > --------------- > /etc/ssh/sshd_config > KerberosAuthentication yes > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > ----- > /etc/ssh/ssh_config > > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > ------------- > > > /etc/krb5.conf > [libdefaults] > default_realm = FOO.BAR.COM > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > FOO.BAR.COM = { > kdc = foo.bar.com > admin_server = foo.bar.com > } > > [domain_realm] > > [login] > krb4_convert = true > krb4_get_tickets = false > [logging] > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > [appdefaults] > forwardable = true > pam = { > minimum_uid = 1000 > } > > > -------- > /etc/krb5kdc/kdc.conf > [kdcdefaults] > kdc_ports = 750,88 > > [realms] > FOO.BAR.COM = { > database_name = /var/lib/krb5kdc/principal > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > acl_file = /etc/krb5kdc/kadm5.acl > key_stash_file = /etc/krb5kdc/stash > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > master_key_type = des3-hmac-sha1 > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > default_principal_flags = +preauth, +forwardable > kadmind_port = 749 > } > > [logging] > kdc = FILE:/var/log/krb5kdc/kdc.log > admin_server = FILE:/var/log/krb5kdc/kadmin.log > ------------------------------------------ > kadmin.local listprinc > K/[EMAIL PROTECTED] > [EMAIL PROTECTED] > host/[EMAIL PROTECTED] > host/[EMAIL PROTECTED] > host/[EMAIL PROTECTED] > host/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > krbtgt/[EMAIL PROTECTED] > will/[EMAIL PROTECTED] > > i have run ktadd -k /etc/krb5.keytab <hostname> for all the test > clients on the kerbserver foo.bar.com > > i can run kinit will/admin on any of the client systems. > -------------------------------- > test2:~# ssh [EMAIL PROTECTED] (fails > > test2:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: will/[EMAIL PROTECTED] > > Valid starting Expires Service principal > 02/12/08 08:05:45 02/12/08 18:05:45 krbtgt/[EMAIL PROTECTED] > renew until 02/13/08 08:05:42 > 02/12/08 08:05:53 02/12/08 18:05:45 host/[EMAIL PROTECTED] > renew until 02/13/08 08:05:42
Your /admin principal will typically not be authorized for login to you Unix account; the default rule authorizes [EMAIL PROTECTED] to access the Unix account "foo". Use your regular principal, or if you really want to log in with your admin principal, add both your regular and admin principals to ~/.k5login on the server. > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > test2:~# > -------------------- > from /var/log/krb5kdc.log on the kerbserver foo. > Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes > {18 17 16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes > {rep=16 tkt=16 ses=16}, will/[EMAIL PROTECTED] for > host/[EMAIL PROTECTED] -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos