Assuming your DNS is set up properly, you'll need to set the host tab's to have the principal fully qualified domain name, ie host/[EMAIL PROTECTED] instead of host/[EMAIL PROTECTED]
You can check if it is by running host against the IP of the hostname. So assuming rofe.one.com has the IP 10.1.1.1 > host 10.1.2.3 3.2.1.10.in-addr.arpa domain name pointer rofe.one.com. (Note the the return IP is reversed, which is normal). Cheers, Edward On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote: > I'm about to make some central authentication for our linux servers. I > have followed these guides and some of it works, except ssh to the > server. > > Guides: > http://www.visolve.com:81/security/ssh_kerberos.php > http://www.alittletooquiet.net/text/kerberos-on-ubuntu/ > > My test-environment is 3 computers (pc1, pc2 and pc3): > > PC2 (Debian Etch) > Installed kerberos and configured realms in /etc/krb5.conf: > > [libdefaults] > default_realm = ONE.COM > > [realms] > ONE.COM = { > kdc = kerberos.one.com > admin_server = kerberos.one.com > } > > Created principals: > host/rofe (the pc which I want to login to via ssh, PC1) > ronni (me) > > Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab. > > PC1 (Ubuntu 8.04): > I have installed kerberos and openssh and configured realms > in /etc/krb5.conf > > [libdefaults] > default_realm = ONE.COM > > [realms] > ONE.COM = { > kdc = kerberos.one.com > admin_server = kerberos.one.com > } > > > Edited persmissions for /etc/krb5.keytab to: > chmod 600 /etc/krb5.keytab > chown root:root /etc/krb5.keytab > > Configured and restarted ssh; /etc/ssh/sshd_config: > # Kerberos options > KerberosAuthentication yes > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > > Edited firewall-rules and /etc/hosts for communication. > > ----- > >From PC1 I can do a: > kinit ronni > And verify that I get a ticket with klist. > > But it fails when I try to ssh from PC3 to PC1. > On PC2 I have tried to make a: > tcpdump -i eth0 'udp port 88' > > And get this: > 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos: v5 > 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: > 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos: v5 > 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: > > So they can communicate, but the authentication fails: > The /var/log/auth.log : > PC1 (where I want to login) > Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from > 192.168.212.254 > Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni > from 192.168.212.254 port 47098 ssh2 > Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user > unknown > Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 > Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni > from 192.168.212.254 port 47098 ssh2 > > PC2 (the kerberos server) > Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1 > 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: [EMAIL PROTECTED] for > krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database > > > I know my user (ronni) is in the Kerberos database, but still I get > CLIENT_NOT_FOUND, so I may have missed something somewhere. > What I want to achieve is a central user database (Kerberos), and be > able to login on all servers without the need for creating every single > user on every server. > > > Help :-) > > - Ronni > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
