LDAP & Kerberos authentification

Wed, 19 May 2010 02:13:52 -0700 

Hello,

I'm playing with Kerberos authentification on my box and there
are some problems that I need assistance for.

For the first time I saw a lack of documentation on OpenBSD
(Weel, may be it's time to contribute :-)) regarding authentification.

The FAQ doesn't help much on Kerberos. It just says to read 
"# info heimdal". Well, I did it and I was a little disapointed. The
info is great to setup a Kerberos server but being new to Kerberos, I'd
have liked infos on setting up a client.
After some hours googling/learning, I finally managed to get the
Kerberos Server running and configured OpenBSD Client as follow :

# cat /etc/kerberosV/krb5.conf
[libdefaults]
        default_realm = CLAER.HAMMOCK.FR

[realms]
        CLAER.HAMMOCK.FR = {
                kdc = diogene.claer.hammock.fr
                admin_server = diogene.claer.hammock.fr
                master_kdc = diogene.claer.hammock.fr
                default_domain = claer.hammock.fr
        }

[domain_realm]
        .claer.hammock.fr = CLAER.HAMMOCK.FR
        claer.hammock.fr = CLAER.HAMMOCK.FR

# ls -l /etc/kerberosV/krb5.keytab
-rw-------  1 root  wheel  358 May 15 15:45 /etc/kerberosV/krb5.keytab

>From there, I can obtain a kerberos ticket on the system :

# kinit claer
cl...@claer.hammock.fr's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: cl...@claer.hammock.fr

  Issued           Expires          Principal
May 19 10:06:28  May 19 20:05:51  krbtgt/claer.hammock...@claer.hammock.fr

Strange thing is I saw this in the server logfile :
May 19 10:06:34 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23 
3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0,  cl...@claer.hammock.fr for 
krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database
May 19 10:06:37 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23 
3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0,  cl...@claer.hammock.fr for 
krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database

It seems that the client is trying to get a ticket for the afs client.
AFS is not enabled on my BSD box and I don't need it. The only reference
I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to 
disable this  behavior?


Regards,

Claer

Reply via email to