On 01.09.2009 14:55, Nikos Nikoleris wrote: > jarek wrote: >> Hi all! >> >> I'd like to configure CISCO Catalyst to use kerberos against AD server >> W2008. I'd like to login to cisco using ticket and telnet.krb5 from >> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm >> getting: >> >> [ Kerberos V5 refuses authentication ] >> kerberos_server_auth: Couldn't authenticate client from >> test-nms.test.local. >> >> What can be wrong ? >> >> Has someone working example of CISCO config for such scenario ? >> >> J. > > Hi Jarek, > > A cisco working here with kerberos authentication but the kdc is heidmal > kerberos. Some suggestions are: > * Timing issues, you have to make sure both the kdc and the cisco are > sync'd... (That's very important) > * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco > principal... > * Your cisco should have a configuration like: > aaa new-model > aaa authentication login default krb5-telnet krb5 local enable > aaa authorization exec default krb5-instance > kerberos local-realm YOUR.REALM > kerberos srvtab entry host/[email protected] (there should > be some numbers here as well) > kerberos clients mandatory > kerberos server YOUR.REALM $(IP of your KDC) > kerberos instance map admin 15 # this will map kerberos users */admin to > the superuser of cisco > kerberos credentials forward # that's optinal > > # I strongly suggest this as well adjusted to your case > ntp server your.ntp.server > clock timezone GMT -6 > clock summer-time CDT recurring > > -- Nikos > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > Hi Nikos,
If I'm not mistaken they don't yet support kerberos for SSH aren't they? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
