OpenBSD and Kerberos Client
Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. Thanks! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- LEGEND (names changed for security) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- kdc = linux box, kdc and kerberos admin server krbc1 = krb5 client 1, linux, working krbc2 = krb5 client 1, openbsd, attempting to setup -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- First, let me note that the FAQ is inadequate for kerberos - to say the least. The heimdal info page doesn't have any thing useful, that I could find. As OpenBSD does things a bit differently, I hoped that those differences would be documented somewhere. Perhaps I just couldn't find it On krbc2 I've created the /etc/kerberosV/krb5.conf. Then on krbc1 I ran kadmin, logged in to kerberos as an admin principal, and performed the usual addprinc for the new host (addprinc -randkey host/krbc2). I then tested kinit on krbc2 and found it got a ticket without a problem. I then tried kadmin on krbc2, which doesn't work. It doesn't even bother with trying to get to the admin server. It just gives me a prompt 'kadmin'. Perhaps that's an issue? Because of that, I was forced to create the keytab on krbc1 and scp it over to krbc2 and place it in /etc/kerberosV/: kadmin: ktadd -k /etc/kadm5.keytab.krbc2 host/krbc2 Entry for principal host/krbc2 with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/kadm5.keytab.krbc2. Entry for principal host/krbc2 with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/kadm5.keytab.krbc2. Entry for principal host/krbc2 with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/kadm5.keytab.krbc2. Entry for principal host/krbc2 with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/kadm5.keytab.krbc2. I then enabled kerberos for logins on krbc2 via /etc/login.conf [auth-defaults:auth=krb5-or-pwd:]. When I try to SSH to krbc2, I get the following error message in /var/log/authlog: krb5-or-pwd: verify: Key table entry not found Unfortunately, google is no help there: http://www.google.com/search?q=krb5-or-pwd:%20verify:%20Key%20table%20en try%20not%20found -- David Rogal Unix Systems Admin TelecityRedbus UK Limited 10th Floor 67 Harbour Exchange Square London E14 9GE United Kingdom Tel: +44 207 005 6018 Fax: +44 207 005 6060 Email: [EMAIL PROTECTED] www.telecityredbus.com Europe's leading independent provider of colocation, data centre, hosting and connectivity services. Winner Best Pan European Data Centre Operator Award 2007, Data Centres Europe Awards. TelecityRedbus UK Limited. Registered in England 3607764 Registered Office: Masters House, 107 Hammersmith Road, London W14 0QH UK. This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. please consider the environment before printing this e-mail.
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. ...8... I then tried kadmin on krbc2, which doesn't work. It doesn't even bother with trying to get to the admin server. It just gives me a prompt 'kadmin'. Perhaps that's an issue? That is how my heimdal kadmins work, so from that you should be able to give kadmin commands, and if they require admin principals (which most do) then it will ask for that password at that time, not before. prompt# kadmin -p myname/[EMAIL PROTECTED] kadmin ank host/[EMAIL PROTECTED] asks for myname/[EMAIL PROTECTED] pw and stuff kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED] ..is how I would add hostkeys to an OBSD host using kadmin.
Re: OpenBSD and Kerberos Client
On 05/06/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. Thanks! In my research about Kerberos I encountered statements that Heimdal (what is in OpenBSD) and MIT (what seems to be the most popular on !BSD) have problems with their kadmin cooperation (ie, you can't really use kadmin from Heimdal to manage a MIT server, or kadmin from MIT to manage Heimdal server). -- viq
Re: OpenBSD and Kerberos Client
-Original Message- From: Janne Johansson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 11:09 AM To: David Rogal Cc: misc@openbsd.org Subject: Re: OpenBSD and Kerberos Client [EMAIL PROTECTED] wrote: Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. ...8... I then tried kadmin on krbc2, which doesn't work. It doesn't even bother with trying to get to the admin server. It just gives me a prompt 'kadmin'. Perhaps that's an issue? That is how my heimdal kadmins work, so from that you should be able to give kadmin commands, and if they require admin principals (which most do) then it will ask for that password at that time, not before. prompt# kadmin -p myname/[EMAIL PROTECTED] kadmin ank host/[EMAIL PROTECTED] asks for myname/[EMAIL PROTECTED] pw and stuff kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED] ..is how I would add hostkeys to an OBSD host using kadmin. Thanks for that! I tried it, but kadmin doesn't do anything useful. It just hangs - doesn't even time out. Tcpdump and ktrace show that kadmin on the OpenBSD box has a quick chat with Kerberos on the Linux box, but kadmin doesn't like whatever it receives. I think that's because of what Viq has to say about Heimdal and MIT Kerberos being incompatible - at least in respect to kadmin. I've also found some people complaining that keytabs created on a different server than the one in which they are meant for do not work very well. If I can't use Heimdal's kadmin to create the keytab and I can't use one created remotely, then I simply can't use Heimdal. A 'catch 22' which makes OpenBSD unusable for us in this circumstance. Perhaps this is an incentive for Heimdal developers to get kadmin to work with MIT Kerberos. That would help increase its userbase. -- David Rogal Unix Systems Admin TelecityRedbus UK Limited 10th Floor 67 Harbour Exchange Square London E14 9GE United Kingdom Tel: +44 207 005 6018 Fax: +44 207 005 6060 Email: [EMAIL PROTECTED] www.telecityredbus.com Europe's leading independent provider of colocation, data centre, hosting and connectivity services. Winner Best Pan European Data Centre Operator Award 2007, Data Centres Europe Awards. TelecityRedbus UK Limited. Registered in England 3607764 Registered Office: Masters House, 107 Hammersmith Road, London W14 0QH UK. This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. please consider the environment before printing this e-mail.
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: I've also found some people complaining that keytabs created on a different server than the one in which they are meant for do not work very well. If I can't use Heimdal's kadmin to create the keytab and I can't use one created remotely, then I simply can't use Heimdal. A 'catch 22' which makes OpenBSD unusable for us in this circumstance. Perhaps this is an incentive for Heimdal developers to get kadmin to work with MIT Kerberos. That would help increase its userbase. perhaps a better place for a thread like this is on heimdal-discuss? love and company would be able to answer your questions more thoroughly. cheers, jake
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: -Original Message- From: Janne Johansson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 11:09 AM To: David Rogal Cc: misc@openbsd.org Subject: Re: OpenBSD and Kerberos Client [EMAIL PROTECTED] wrote: Hello all, I'm having a problem setting up kerberos on an OpenBSD system. Please advise as you can. ...8... I then tried kadmin on krbc2, which doesn't work. It doesn't even bother with trying to get to the admin server. It just gives me a prompt 'kadmin'. Perhaps that's an issue? That is how my heimdal kadmins work, so from that you should be able to give kadmin commands, and if they require admin principals (which most do) then it will ask for that password at that time, not before. prompt# kadmin -p myname/[EMAIL PROTECTED] kadmin ank host/[EMAIL PROTECTED] asks for myname/[EMAIL PROTECTED] pw and stuff kadmin ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED] ..is how I would add hostkeys to an OBSD host using kadmin. Thanks for that! I tried it, but kadmin doesn't do anything useful. It just hangs - doesn't even time out. Tcpdump and ktrace show that kadmin on the OpenBSD box has a quick chat with Kerberos on the Linux box, but kadmin doesn't like whatever it receives. I think that's because of what Viq has to say about Heimdal and MIT Kerberos being incompatible - at least in respect to kadmin. I've also found some people complaining that keytabs created on a different server than the one in which they are meant for do not work very well. If I can't use Heimdal's kadmin to create the keytab and I can't use one created remotely, then I simply can't use Heimdal. A 'catch 22' which makes OpenBSD unusable for us in this circumstance. Perhaps this is an incentive for Heimdal developers to get kadmin to work with MIT Kerberos. That would help increase its userbase. I dont think the last part necessarily is connected to the first. Just because the administrative programs/interfaces might not be interoperable, I still think you should be able to acquire host-keys with either software. Might I suggest you try this from the OBSD box: /usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \ -p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED]
Re: OpenBSD and Kerberos Client
-- David Rogal Unix Systems Admin TelecityRedbus UK Limited 10th Floor 67 Harbour Exchange Square London E14 9GE United Kingdom Tel: +44 207 005 6018 Fax: +44 207 005 6060 Email: [EMAIL PROTECTED] www.telecityredbus.com Europe's leading independent provider of colocation, data centre, hosting and connectivity services. Winner Best Pan European Data Centre Operator Award 2007, Data Centres Europe Awards. TelecityRedbus UK Limited. Registered in England 3607764 Registered Office: Masters House, 107 Hammersmith Road, London W14 0QH UK. -Original Message- From: Janne Johansson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 12:53 PM To: David Rogal Cc: misc@openbsd.org Subject: Re: OpenBSD and Kerberos Client Might I suggest you try this from the OBSD box: /usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \ -p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED] Same problem, it just hangs. Please note that kinit / klist work just fine. Kadmin and ktutil both hang. Looks like administrative functions are the problem. Perhaps I've got something misconfigured? This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. please consider the environment before printing this e-mail.
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: Might I suggest you try this from the OBSD box: /usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \ -p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED] Same problem, it just hangs. Please note that kinit / klist work just fine. Kadmin and ktutil both hang. Looks like administrative functions are the problem. Perhaps I've got something misconfigured? Perhaps, but I think you will have to take it on the heimdal lists, I'm fairly sure it does interoprate with various kinds of krb5 implementations, not just the MIT one. We make the AD hang of our heimdal servers here, so if heimdal can talk to Bill-kerberos, it should manage MIT too. ;)
Re: OpenBSD and Kerberos Client
Signal to Noise ratio high in your last post. You think you trim some of the fat from your e-mails in your future posts? In your last e-mail you had a 4 line replay and 30 lines telling me how to locate you, get in touch with you via snail mail, tele, FAX and e-mail. Also, it was apparent the list subscribers needed to know all about the great services your employer provides AND THEN you have the audacity to tell all of us it's confidential and should consider the environment before printing this e-mail.! g.day
Re: OpenBSD and Kerberos Client
-Original Message- From: Janne Johansson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 05, 2007 1:56 PM To: David Rogal Cc: misc@openbsd.org Subject: Re: OpenBSD and Kerberos Client [EMAIL PROTECTED] wrote: Might I suggest you try this from the OBSD box: /usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \ -p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED] Same problem, it just hangs. Please note that kinit / klist work just fine. Kadmin and ktutil both hang. Looks like administrative functions are the problem. Perhaps I've got something misconfigured? Perhaps, but I think you will have to take it on the heimdal lists, I'm fairly sure it does interoprate with various kinds of krb5 implementations, not just the MIT one. We make the AD hang of our heimdal servers here, so if heimdal can talk to Bill-kerberos, it should manage MIT too. ;) Any chance you could help write up some documentation? Kerberos on OpenBSD doesn't really have any good docs that I could find. Maybe I could then retry this effort in the future. For expediency though, I will have to reinstall with RedHat as it only takes 5 minutes to get it working as a kerberos client. Thanks for your help, and to everyone else. -- David Rogal Unix Systems Admin TelecityRedbus UK Limited 10th Floor 67 Harbour Exchange Square London E14 9GE United Kingdom Tel: +44 207 005 6018 Fax: +44 207 005 6060 Email: [EMAIL PROTECTED] www.telecityredbus.com Europe's leading independent provider of colocation, data centre, hosting and connectivity services. Winner Best Pan European Data Centre Operator Award 2007, Data Centres Europe Awards. TelecityRedbus UK Limited. Registered in England 3607764 Registered Office: Masters House, 107 Hammersmith Road, London W14 0QH UK. This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. please consider the environment before printing this e-mail.
Re: OpenBSD and Kerberos Client
On Tuesday 05 June 2007 14:59:07 [EMAIL PROTECTED] wrote: Any chance you could help write up some documentation? Kerberos on OpenBSD doesn't really have any good docs that I could find. Maybe I could then retry this effort in the future. For expediency though, I will have to reinstall with RedHat as it only takes 5 minutes to get it working as a kerberos client. NetBSD has somewhat more info about heimdal: http://www.netbsd.org/Documentation/network/#kerberos Unix Systems Admin ... -- Antoine
Re: OpenBSD and Kerberos Client
On Tue, Jun 05, 2007 at 01:59:07PM +0100, [EMAIL PROTECTED] wrote: Any chance you could help write up some documentation? Kerberos on OpenBSD doesn't really have any good docs that I could find. Maybe I could then retry this effort in the future. For expediency though, I will have to reinstall with RedHat as it only takes 5 minutes to get it working as a kerberos client. I set up a Heimdal kdc and several OpenBSD clients with krb5 auth in about ten minutes based on the info page. What, exactly, is lacking in the documentation? I'm no fan of info pages, but Heimdal's covered all the topics I needed to get set. -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *--[ BSD Unix: Live Free or Die ]--*
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: Perhaps, but I think you will have to take it on the heimdal lists, I'm fairly sure it does interoprate with various kinds of krb5 implementations, not just the MIT one. We make the AD hang of our heimdal servers here, so if heimdal can talk to Bill-kerberos, it should manage MIT too. ;) Any chance you could help write up some documentation? Kerberos on OpenBSD doesn't really have any good docs that I could find. Maybe I could then retry this effort in the future. For expediency though, I will have to reinstall with RedHat as it only takes 5 minutes to get it working as a kerberos client. info heimdal Thanks for your help, and to everyone else. please consider the environment before printing this e-mail. please consider the internet infrastructure when having an uberlong sig. i just heard a BGP router scream!
Re: OpenBSD and Kerberos Client
On Tuesday 05 June 2007 07:59, [EMAIL PROTECTED] wrote: Any chance you could help write up some documentation? Kerberos on OpenBSD doesn't really have any good docs that I could find. Maybe I could then retry this effort in the future. For expediency though, I will have to reinstall with RedHat as it only takes 5 minutes to get it working as a kerberos client. Thanks for your help, and to everyone else. Did you check out 'info heimdal' ? I found that quite helpful. -- Vijay Sankar ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]
Re: OpenBSD and Kerberos Client
On 05/06/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've also found some people complaining that keytabs created on a different server than the one in which they are meant for do not work very well. In my small amount of testing/playing with it I had a keytab generated on FreeBSD server (Heimdal 0.7.2) moved to Fedora 6 client (MIT whatever) and it seemed to work just fine. Mind you, that's just 15 minutes worth of testing, YMMV and so on. -- viq
Re: OpenBSD and Kerberos Client
This must be another troll wandering in the Docklands area. Signal to Noise ratio high in your last post. You think you trim some of the fat from your e-mails in your future posts? In your last e-mail you had a 4 line replay and 30 lines telling me how to locate you, get in touch with you via snail mail, tele, FAX and e-mail. Also, it was apparent the list subscribers needed to know all about the great services your employer provides AND THEN you have the audacity to tell all of us it's confidential and should consider the environment before printing this e-mail.! g.day
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: please consider the environment before printing this e-mail. aha, that's why we can only get an 8A feed at Harbour Exchange, the power is used up for .sig transmission (-:
Re: OpenBSD and Kerberos Client
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Diana Eichert Sent: Tuesday, June 05, 2007 1:55 PM To: misc@openbsd.org Subject: Re: OpenBSD and Kerberos Client Signal to Noise ratio high in your last post. You think you trim some of the fat from your e-mails in your future posts? In your last e-mail you had a 4 line replay and 30 lines telling me how to locate you, get in touch with you via snail mail, tele, FAX and e-mail. Also, it was apparent the list subscribers needed to know all about the great services your employer provides AND THEN you have the audacity to tell all of us it's confidential and should consider the environment before printing this e-mail.! g.day I don't have the audacity to do anything. The email signature is defined through company policy and tacked on by the M$ Exchange Server on the way out. I have no say and only see it when I get replies to my email. But, I'm glad that you appreciate what the lawyers and IS have come up with. I hope that you're this nice to those less able than yourself who aren't not moving fast enough along the sidewalk. My apologies to everyone for my signature and this exchange. I'm sure Diana's contributions to this list are normally more productive and beneficial. I certainly hope that mine are - aside from this one. ;) -- David Rogal Unix Systems Admin TelecityRedbus UK Limited 10th Floor 67 Harbour Exchange Square London E14 9GE United Kingdom Tel: +44 207 005 6018 Fax: +44 207 005 6060 Email: [EMAIL PROTECTED] www.telecityredbus.com Europe's leading independent provider of colocation, data centre, hosting and connectivity services. Winner Best Pan European Data Centre Operator Award 2007, Data Centres Europe Awards. TelecityRedbus UK Limited. Registered in England 3607764 Registered Office: Masters House, 107 Hammersmith Road, London W14 0QH UK. This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. please consider the environment before printing this e-mail.
Re: OpenBSD and Kerberos Client
On Tue, Jun 05, 2007 at 03:16:06PM +0100, [EMAIL PROTECTED] wrote: I don't have the audacity to do anything. The email signature is defined through company policy and tacked on by the M$ Exchange Server on the way out. I have no say and only see it when I get replies to my email. Have you considered getting a free mail account somewhere else and using that for your non-work correspondence? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *--[ BSD Unix: Live Free or Die ]--*
Re: OpenBSD and Kerberos Client
Maybe he is trying to impress anyone, specially UK-based openbsd misc subscribers, in a meditative way possible that he works for a company in the Docklands? Saying that configuring this is better and easier than Redhat Linux has no place in the OpenBSD mailing lists. On Tue, Jun 05, 2007 at 03:16:06PM +0100, [EMAIL PROTECTED] wrote: I don't have the audacity to do anything. The email signature is defined through company policy and tacked on by the M$ Exchange Server on the way out. I have no say and only see it when I get replies to my email. Have you considered getting a free mail account somewhere else and using that for your non-work correspondence? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *--[ BSD Unix: Live Free or Die ]--*
Re: OpenBSD and Kerberos Client
On Tue, 5 Jun 2007, [EMAIL PROTECTED] wrote: I don't have the audacity to do anything. The email signature is defined through company policy and tacked on by the M$ Exchange Server on the way out. I have no say and only see it when I get replies to my email. But, I'm glad that you appreciate what the lawyers and IS have come up with. I hope that you're this nice to those less able than yourself who aren't not moving fast enough along the sidewalk. My apologies to everyone for my signature and this exchange. I'm sure Diana's contributions to this list are normally more productive and beneficial. I certainly hope that mine are - aside from this one. ;) Listen up, I was being nice, albeit a bit sarcastic, but that's the way I am. Another poster had a suggestion you might take to heart, get a free e-mail account somewhere which you can control. It's actually a great suggestion, the majority of the e-mail lists I subscribe to are from one of my personal accounts. That way I can say / write things that do not represent my employer. Me, I registered wrench.com years ago, it's my home on the internet, it has stood me through self-employment and three employers. FWIW, this and my prior post were as productive as anything I've ever posted here. g.day
Re: OpenBSD and Kerberos Client
[EMAIL PROTECTED] wrote: I don't have the audacity to do anything. The email signature is defined through company policy and tacked on by the M$ Exchange Server on the way out. I have no say and only see it when I get replies to my email. If your company insists on such stupid policies you should just get/use a free email account that you can control. But, I'm glad that you appreciate what the lawyers and IS have come up with. Perhaps if they had actually used their brains they wouldn't have implemented it in the first place. Lars Hansson
Re: OpenBSD and Kerberos Client
Diana Eichert [EMAIL PROTECTED] writes: Another poster had a suggestion you might take to heart, get a free e-mail account somewhere which you can control. It's actually a great suggestion, I second that. Not only do you then get to speak as *yourself*, if you set things up right you also get a great play^H^H^H^Htesting environment to learn and prepare for whatever it is you want to do. Cheers, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.