>
> hello folks,
> i have gone through the mail archive for suggestions but i can't seem
> to make headway. i am not sure what i am missing. am i supposed to
> export contents of krb5.keytab and copy them to the client systems?
> i can't even log on to the kerb server. the ssh session just drops to
> the console.
>
> would appreciate some help on this.
>
> thank you,
> john
>
> system: etch 32
> -----------------
> id will
> uid=4301(will) gid=4301(will) groups=4301(will)
>
> --------------------------
> pam
>
> grep krb5 /etc/pam.d/common-*
> /etc/pam.d/common-account: account required pam_krb5.so
> minimum_uid=1000 forwardable
> /etc/pam.d/common-auth:auth sufficient pam_krb5.so
> minimum_uid=1000 forwardable
> /etc/pam.d/common-password
> :password sufficient pam_krb5.so minimum_uid=1000 forwardable
> /etc/pam.d/common-session:session optional pam_krb5.so
> minimum_uid=1000 forwardable
>
>
>
> ---------------
> /etc/ssh/sshd_config
> KerberosAuthentication yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> -----
> /etc/ssh/ssh_config
>
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> -------------
>
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = FOO.BAR.COM
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> FOO.BAR.COM = {
> kdc = foo.bar.com
> admin_server = foo.bar.com
> }
>
> [domain_realm]
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> [appdefaults]
> forwardable = true
> pam = {
> minimum_uid = 1000
> }
>
>
> --------
> /etc/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 750,88
>
> [realms]
> FOO.BAR.COM = {
> database_name = /var/lib/krb5kdc/principal
> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5kdc/kadm5.acl
> key_stash_file = /etc/krb5kdc/stash
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des:normal des:v4 des:norealm des:onlyrealm des:afs3
> default_principal_flags = +preauth, +forwardable
> kadmind_port = 749
> }
>
> [logging]
> kdc = FILE:/var/log/krb5kdc/kdc.log
> admin_server = FILE:/var/log/krb5kdc/kadmin.log
> ------------------------------------------
> kadmin.local listprinc
> K/[EMAIL PROTECTED]
> [EMAIL PROTECTED]
> host/[EMAIL PROTECTED]
> host/[EMAIL PROTECTED]
> host/[EMAIL PROTECTED]
> host/[EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> kadmin/[EMAIL PROTECTED]
> krbtgt/[EMAIL PROTECTED]
> will/[EMAIL PROTECTED]
>
> i have run ktadd -k /etc/krb5.keytab <hostname> for all the test
> clients on the kerbserver foo.bar.com
>
> i can run kinit will/admin on any of the client systems.
> --------------------------------
> test2:~# ssh [EMAIL PROTECTED] (fails
>
> test2:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: will/[EMAIL PROTECTED]
>
> Valid starting Expires Service principal
> 02/12/08 08:05:45 02/12/08 18:05:45 krbtgt/[EMAIL PROTECTED]
> renew until 02/13/08 08:05:42
> 02/12/08 08:05:53 02/12/08 18:05:45 host/[EMAIL PROTECTED]
> renew until 02/13/08 08:05:42
Your /admin principal will typically not be authorized for login to you
Unix account; the default rule authorizes [EMAIL PROTECTED] to access the Unix
account "foo". Use your regular principal, or if you really want to log
in with your admin principal, add both your regular and admin principals
to ~/.k5login on the server.
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> test2:~#
> --------------------
> from /var/log/krb5kdc.log on the kerbserver foo.
> Feb 12 08:22:12 foo.bar.com krb5kdc[12645](info): TGS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 10.41.1.131: ISSUE: authtime 1202803545, etypes
> {rep=16 tkt=16 ses=16}, will/[EMAIL PROTECTED] for
> host/[EMAIL PROTECTED]
--
Richard Silverman
[EMAIL PROTECTED]
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
