help with Active Directory Kerberos authentication

2006-10-06 Thread Rohit Kumar Mehta 

Hi guys, I am still having trouble with some authentication issues using 
the AD kerberos server.  I can ssh to my Debian/Etch machine using 
Active Directory credentials, but I cannot login with a Kerberos ticket. 
  kinit works and klist shows the following:

nfsv4etch:~# kinit rohitm
Password for [EMAIL PROTECTED]:
nfsv4etch:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting ExpiresService principal
10/06/06 17:48:12  10/07/06 03:49:59 
krbtgt/[EMAIL PROTECTED]
 renew until 10/07/06 17:48:12


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Kerberized telnet does not seem to work.

nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
Trying 127.0.1.1...
Connected to nfsv4etch (127.0.1.1).
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.

Also if I type ssh [EMAIL PROTECTED], it prompts me for my password.
I was hoping it would just let me in with my ticket.
I have set the following options in /etc/ssh/sshd_config

KerberosAuthentication yes
#KerberosGetAFSToken yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

and /home/rohitm/.k5login contains the user "[EMAIL PROTECTED]"

The following packages are installed:

ii  krb5-clients 1.4.4-1  Secure replacements 
for ftp, telnet and rsh
ii  krb5-config  1.10 Configuration files 
for Kerberos Version 5
ii  krb5-rsh-server  1.4.4-1  Secure replacements 
for rshd and rlogind usi
ii  krb5-telnetd 1.4.4-1  Secure telnet server 
supporting MIT Kerberos
ii  krb5-user1.4.4-1  Basic programs to 
authenticate using MIT Ker
ii  libkrb5-17-heimdal   0.7.2.dfsg.1-4   Libraries for Heimdal 
Kerberos
ii  libkrb53 1.4.4-1  MIT Kerberos runtime 
libraries
ii  libpam-krb5  2.0-1PAM module for MIT 
Kerberos


I also created a user named "nfsv4etch" in the Active Directory and
did the following to generate an /etc/krb5.keytab file.

Z:\krb>ktpass -princ host/[EMAIL PROTECTED] 
-mapuser nfsv4etch -crypto DES-CBC-MD5 -pass password -ptype 
KRB5_NT_PRINCIPAL -out unix
machine.keytab2
Targeting domain controller: fozzie.ad.engr.uconn.edu
Using legacy password setting method
Successfully mapped host/nfsv4etch.engr.uconn.edu to nfsv4etch.
Key created.
Output keytab to unixmachine.keytab2:
Keytab version: 0x502
keysize 74 host/[EMAIL PROTECTED] ptype 1 
(KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 
(0xceae025dfe455d49)

Can anyone think of what I am missing?  I was hoping this would be easy!

Thanks in advance for any help.

Rohit

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-06 Thread Russ Allbery 
Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:

> Kerberized telnet does not seem to work.
> 
> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
> Trying 127.0.1.1...
> Connected to nfsv4etch (127.0.1.1).
> Escape character is '^]'.
> telnetd: Authorization failed.
> Connection closed by foreign host.

After you've run this command, do you have host tickets in your ticket
cache for the system you're logging on to?

> Also if I type ssh [EMAIL PROTECTED], it prompts me for my password.
> I was hoping it would just let me in with my ticket.
> I have set the following options in /etc/ssh/sshd_config

> KerberosAuthentication yes
> #KerberosGetAFSToken yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes

This just tells OpenSSH to try verifying passwords with Kerberos.  These
options don't control logging on with existing Kerberos credentials.  For
that, you want:

GSSAPIAuthentication yes

and the equivalent on the client.  Since you're using etch, install
openssh-server (rather than the mostly obsolete ssh-krb5 package), but
note that it doesn't enable GSSAPI by default and you have to change its
configuration and restart the server after installing it.  Similarly,
you'll need to change your client configuration to enable GSSAPI
authentication.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-06 Thread Christopher D. Clausen 
Russ Allbery <[EMAIL PROTECTED]> wrote:
> Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:
>
>> Kerberized telnet does not seem to work.
>>
>> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
>> Trying 127.0.1.1...
>> Connected to nfsv4etch (127.0.1.1).

127.0.1.1 ?  Uhh, that doesn't look right.  Edit the /ets/hosts file on 
the machine you are logging into and put the actual IP address on the 
line with the FQDN of the machine.  You want something like:

[EMAIL PROTECTED]:/]% cat /etc/hosts
127.0.0.1   localhost.localdomain   localhost
128.174.251.7   sleepless.acm.uiuc.edu  sleepless
128.174.251.6   clortho.acm.uiuc.educlortho
128.174.251.37  enzo.acm.uiuc.edu   enzo

Re: help with Active Directory Kerberos authentication

2006-10-10 Thread Rohit Kumar Mehta 
Russ Allbery wrote:

> You aren't seeing host tickets.  So it looks to me like the problem is
> that you can't obtain host/[EMAIL PROTECTED]
> tickets from AD.
> 
> You should be able to test this directly by running:
> 
> kinit -S host/nfsv4etch.engr.uconn.edu [EMAIL PROTECTED]
> 
> to obtain host credentials rather than the normal krbtgt credentials.  My
> guess is that you'll find that the host crendentials are not in AD for
> some reason.
> 
> This will indeed affect both telnet and ssh.
> 

I tried that command and it seems to work:
nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
nfsv4etch:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting ExpiresService principal
10/10/06 17:19:07  10/11/06 03:19:12 
host/[EMAIL PROTECTED]
 renew until 10/11/06 17:19:07


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

However even with the host credentials, I can't get in:

nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
Trying 192.168.1.137...
Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
Escape character is '^]'.
telnetd: Authorization failed.
Connection closed by foreign host.
nfsv4etch:~# ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

I am pretty sure I put the host creds in the AD and generated the keytab 
for use on the Linux client.  Is there a way to check if my keytab is 
correct?
nfsv4etch:~# strings /etc/krb5.keytab
AD.ENGR.UCONN.EDU
host
nfsv4etch.engr.uconn.edu

Also could it be a problem that I am behind a NAT server.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-10 Thread Russ Allbery 
Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:

> I tried that command and it seems to work:

> nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu [EMAIL PROTECTED]
> Password for [EMAIL PROTECTED]:
> nfsv4etch:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]

> Valid starting ExpiresService principal
> 10/10/06 17:19:07  10/11/06 03:19:12
> host/[EMAIL PROTECTED]
> renew until 10/11/06 17:19:07


> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached

Hm, it's very strange that telnet wasn't able to obtain the same
credential itself when it tried.

> However even with the host credentials, I can't get in:

> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
> Trying 192.168.1.137...
> Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
> Escape character is '^]'.
> telnetd: Authorization failed.
> Connection closed by foreign host.
> nfsv4etch:~# ssh [EMAIL PROTECTED]
> [EMAIL PROTECTED]'s password:
> Permission denied, please try again.
> [EMAIL PROTECTED]'s password:
> Permission denied, please try again.
> [EMAIL PROTECTED]'s password:
> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

I think for ssh you're going to need to run the server with sshd -ddd and
see what it says about the GSSAPI exchange to try to figure out why things
are going wrong... although if the client isn't even obtaining a host
principal, I'm not sure what would be going wrong.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-10 Thread Rohit Kumar Mehta 
Thanks Russ, I think you might have found something.
I did the command you suggested ssh -ddd 2>/tmp/err.txt
and found an interesting message in the long file it created.

debug1: Miscellaneous failure
No principal in keytab matches desired name.

My krb5.keytab looks like this:
nfsv4etch:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
 
-
14 host/[EMAIL PROTECTED]

Does that look like it's generated properly?

Rohit

Russ Allbery wrote:
> Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:
> 
> 
>>I tried that command and it seems to work:
> 
> 
>>nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu [EMAIL PROTECTED]
>>Password for [EMAIL PROTECTED]:
>>nfsv4etch:~# klist
>>Ticket cache: FILE:/tmp/krb5cc_0
>>Default principal: [EMAIL PROTECTED]
> 
> 
>>Valid starting ExpiresService principal
>>10/10/06 17:19:07  10/11/06 03:19:12
>>host/[EMAIL PROTECTED]
>>renew until 10/11/06 17:19:07
> 
> 
> 
>>Kerberos 4 ticket cache: /tmp/tkt0
>>klist: You have no tickets cached
> 
> 
> Hm, it's very strange that telnet wasn't able to obtain the same
> credential itself when it tried.
> 
> 
>>However even with the host credentials, I can't get in:
> 
> 
>>nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
>>Trying 192.168.1.137...
>>Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
>>Escape character is '^]'.
>>telnetd: Authorization failed.
>>Connection closed by foreign host.
>>nfsv4etch:~# ssh [EMAIL PROTECTED]
>>[EMAIL PROTECTED]'s password:
>>Permission denied, please try again.
>>[EMAIL PROTECTED]'s password:
>>Permission denied, please try again.
>>[EMAIL PROTECTED]'s password:
>>Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
> 
> 
> I think for ssh you're going to need to run the server with sshd -ddd and
> see what it says about the GSSAPI exchange to try to figure out why things
> are going wrong... although if the client isn't even obtaining a host
> principal, I'm not sure what would be going wrong.
> 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-10 Thread Russ Allbery 
Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:

> Thanks Russ, I think you might have found something.
> I did the command you suggested ssh -ddd 2>/tmp/err.txt
> and found an interesting message in the long file it created.

>   debug1: Miscellaneous failure
>   No principal in keytab matches desired name.

> My krb5.keytab looks like this:
>   nfsv4etch:~# ktutil
>   ktutil:  rkt /etc/krb5.keytab
>   ktutil:  l
>   slot KVNO Principal
>    
> -
>   14 host/[EMAIL PROTECTED]

> Does that look like it's generated properly?

I've run into this problem before (not with AD, but with MIT Kerberos) and
haven't been able to figure out what was causing it.  My theory was some
sort of realm configuration mismatch, but I'm not at all sure.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-10 Thread Christopher D. Clausen 
Russ Allbery <[EMAIL PROTECTED]> wrote:
> Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:
>> debug1: Miscellaneous failure
>> No principal in keytab matches desired name.
>>
>> My krb5.keytab looks like this:
>> nfsv4etch:~# ktutil
>> ktutil:  rkt /etc/krb5.keytab
>> ktutil:  l
>> slot KVNO Principal
>>  
>> -
>> 14 host/[EMAIL PROTECTED]
>>
>> Does that look like it's generated properly?
>
> I've run into this problem before (not with AD, but with MIT
> Kerberos) and haven't been able to figure out what was causing it.
> My theory was some sort of realm configuration mismatch, but I'm not
> at all sure.

What does hostname (or hostname -f) return on your computer?

And then do an IP lookup on that.  If it resolves to a 127.*.*.* address 
its not likely to work.

Re: help with Active Directory Kerberos authentication

2006-10-10 Thread Scott Ruckh 
This is what you said Rohit Kumar Mehta
> Thanks Russ, I think you might have found something.
> I did the command you suggested ssh -ddd 2>/tmp/err.txt
> and found an interesting message in the long file it created.
>
>   debug1: Miscellaneous failure
>   No principal in keytab matches desired name.
>
> My krb5.keytab looks like this:
>   nfsv4etch:~# ktutil
>   ktutil:  rkt /etc/krb5.keytab
>   ktutil:  l
>   slot KVNO Principal
>    
> -
>   14 host/[EMAIL PROTECTED]
>
> Does that look like it's generated properly?
>
> Rohit
>
> Russ Allbery wrote:
>> Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:
>>
>>
>>>I tried that command and it seems to work:
>>
>>
>>>nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu
>>> [EMAIL PROTECTED]
>>>Password for [EMAIL PROTECTED]:
>>>nfsv4etch:~# klist
>>>Ticket cache: FILE:/tmp/krb5cc_0
>>>Default principal: [EMAIL PROTECTED]
>>
>>
>>>Valid starting ExpiresService principal
>>>10/10/06 17:19:07  10/11/06 03:19:12
>>>host/[EMAIL PROTECTED]
>>>renew until 10/11/06 17:19:07
>>
>>
>>
>>>Kerberos 4 ticket cache: /tmp/tkt0
>>>klist: You have no tickets cached
>>

Here are some other places where I have discussed this topic:

http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
http://www.winlinanswers.com/community/viewtopic.php?t=37
http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
keytab files used with secure connections.  You can get a fix from MS. 
You can find the link to MS article which discusses the bug from the links
above.

Although I have a "working" solution, which can be found from the above
articles, I would like hear what your final configuration looks like. 
There are still several things I do not like with my configuration and
would like to improve on the configuration so that it is more then just
functional.

Thanks.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-11 Thread Rohit Kumar Mehta 
hostname returns nfsv4etch

pinging nfsv4etch pings 192.168.1.137.  I am using VMWARE and NAT,
but am no longer using 127.0.0.1

Christopher D. Clausen wrote:
> Russ Allbery <[EMAIL PROTECTED]> wrote:
> 
>>Rohit Kumar Mehta <[EMAIL PROTECTED]> writes:
>>
>>>debug1: Miscellaneous failure
>>>No principal in keytab matches desired name.
>>>
>>>My krb5.keytab looks like this:
>>>nfsv4etch:~# ktutil
>>>ktutil:  rkt /etc/krb5.keytab
>>>ktutil:  l
>>>slot KVNO Principal
>>> 
>>>-
>>>14 host/[EMAIL PROTECTED]
>>>
>>>Does that look like it's generated properly?
>>
>>I've run into this problem before (not with AD, but with MIT
>>Kerberos) and haven't been able to figure out what was causing it.
>>My theory was some sort of realm configuration mismatch, but I'm not
>>at all sure.
> 
> 
> What does hostname (or hostname -f) return on your computer?
> 
> And then do an IP lookup on that.  If it resolves to a 127.*.*.* address 
> its not likely to work.
> 
> < 
> 
> 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

2006-10-17 Thread Rohit Kumar Mehta 
Scott Ruckh wrote:

> Here are some other places where I have discussed this topic:
> 
> http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
> http://www.winlinanswers.com/community/viewtopic.php?t=37
> http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
> http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
> 
> Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
> keytab files used with secure connections.  You can get a fix from MS. 
> You can find the link to MS article which discusses the bug from the links
> above.
> 
> Although I have a "working" solution, which can be found from the above
> articles, I would like hear what your final configuration looks like. 
> There are still several things I do not like with my configuration and
> would like to improve on the configuration so that it is more then just
> functional.
> 
> Thanks.
> 

Hi thanks Scott, I had actually used one of the howto's you mentioned:

http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/

However I am not doing anything with SFU, we have an NIS server (All the 
accounts are in both NIS and AD).

I do not think we have a problem with ktpass.  (was this the hotfix you 
were referring to?  http://support.microsoft.com/kb/843071)
On a whim, I installed Fedora Core 5 on a virtual machine, and redid 
everything, using the ktpass command described in your first howto:
"ktpass -princ host/[EMAIL PROTECTED] -mapuser 
ENGR_STUDENT\fc5 -crypto DES-CBC-MD5 -pass mypassword -ptype 
KRB5_NT_PRINCIPAL -out keytab.fc5 "

After installing this keytab file (and authconfig) kerberized telnet 
works!!!

After kinit'ing I can do a "telnet -k AD.ENGR.UCONN.EDU -l rohitm 
fc5.engr.uconn.edu" and it lets me log in.  I do not have to type my 
password a second time.

GSSAPI authentication still does not work with SSH, and I have no idea
why kerberized telnet does not seem to work in 
Debian(etch)/Ubuntu(dapper) and GSSAPI ssh authentication does not seem 
to work for me on any distro.




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos