Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote: > Am 19.05.2010 20:52, schrieb Claer: > >However, on the kerberos server side, no request have been made to the > >"claer" account : > >May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 > >23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for > >krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos > >database > > > >Thanks for helping me so far! > > > >Claer > > > > Hi Claer, > I'm not sure if this may help, but I asked myself if the client/user > you are connecting from is using kerberos. There shouldn't be any difference. In this case, Kerberos is used to verify the authentication of the user from the ssh server point of view not to verify if the user has already a krb ticket and login him automatically. However I did the test and it didn't change anything (as expected :) ) Claer
Re: LDAP & Kerberos authentification
Am 19.05.2010 20:52, schrieb Claer: However, on the kerberos server side, no request have been made to the "claer" account : May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Thanks for helping me so far! Claer Hi Claer, I'm not sure if this may help, but I asked myself if the client/user you are connecting from is using kerberos. HTH. enni | telsh -- "Es ist sinnlos zu sagen: Wir tun unser Bestes. Es muC dir gelingen, das zu tun, was erforderlich ist." -- Winston Churchill
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote: > On Wed, 19 May 2010, Claer wrote: > > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh > > claer:*:1000:1000:Claer:/home/claer:/bin/ksh > > > > Now the next step is to try an authentification with ssh. That's why > > /etc/login.conf has been modified regarding auth entry : > > > > auth-defaults:auth=krb5-or-pwd,passwd: > > > > But, when I try to ssh in with -l claer, sshd doesn't seem to find > > the "claer" passwd entry and I have this line on the kerberos server : > > > > May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 > > 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for > > krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos > > database > > > > Any hint ? > > Did you add your host principal to /etc/kerberosV/krb5.keytab? Yep. If the "claer" local account is enabled, it's working fine with Kerberos auth. I can confirm this by watching log files and I even tried to alter the hashed passwd with vipw to be sure I was not using the local password. ypldap + ypbind are working fine : # tail -n 2 /etc/passwd _claer:*:1000:1000:Claer:/home/claer:/bin/ksh +:*:0:0:::/bin/ksh # getent passwd | tail -n 4 _claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh megami:*:1001:1001:Megami:/home/megami:/bin/ksh nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh I started a test ssh server on port to check. Here are the interesting debug logs : debug1: userauth-request for user claer service ssh-connection method none debug1: attempt 0 failures 0 debug1: unable to get login class: claer input_userauth_request: invalid user claer Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2 debug1: userauth-request for user claer service ssh-connection method publickey debug1: attempt 1 failures 0 debug1: userauth-request for user claer service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=claer devs= debug1: kbdint_alloc: devices 'bsdauth' debug1: auth2_challenge_start: trying authentication method 'bsdauth' debug1: userauth-request for user claer service ssh-connection method password debug1: attempt 3 failures 2 debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0) debug1: restore_uid: 0/0 debug1: Kerberos password authentication failed: Client not found in Kerberos database debug1: krb5_cleanup_proc called Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2 The logextact from authlog : May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos database However, on the kerberos server side, no request have been made to the "claer" account : May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Thanks for helping me so far! Claer
Re: LDAP & Kerberos authentification
On Wed, 19 May 2010, Claer wrote: > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh > claer:*:1000:1000:Claer:/home/claer:/bin/ksh > > Now the next step is to try an authentification with ssh. That's why > /etc/login.conf has been modified regarding auth entry : > > auth-defaults:auth=krb5-or-pwd,passwd: > > But, when I try to ssh in with -l claer, sshd doesn't seem to find > the "claer" passwd entry and I have this line on the kerberos server : > > May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 > 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for > krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos > database > > Any hint ? Did you add your host principal to /etc/kerberosV/krb5.keytab? -- Antoine
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote: > On Wed, 19 May 2010, Claer wrote: > > It seems that the client is trying to get a ticket for the afs client. > > AFS is not enabled on my BSD box and I don't need it. The only reference > > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to > > disable this behavior? > > Yes. > > [appdefaults] > kinit = { > afslog = no > } Continuing to play with Kerberos, I'm adding ypldap into play. This time, I'd like to use ldap to add entries to getent passwd and Kerberos for authentification (I'd like to avoid the login_ldap step is possible). As my kerberos setup is now ok, I declared the LDAP server on /etc/ypldap.conf, started portmap ypldap ypbind, added the "+:" entries to passwd and group. Now, I have a working ypbind system. To confirm this, I renamed my local account as _claer using vipw and verified the output of getent passwd : # getent passwd | grep claer _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh claer:*:1000:1000:Claer:/home/claer:/bin/ksh Now the next step is to try an authentification with ssh. That's why /etc/login.conf has been modified regarding auth entry : auth-defaults:auth=krb5-or-pwd,passwd: But, when I try to ssh in with -l claer, sshd doesn't seem to find the "claer" passwd entry and I have this line on the kerberos server : May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database Any hint ? Regards, Claer
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote: > On Wed, 19 May 2010, Claer wrote: > > It seems that the client is trying to get a ticket for the afs client. > > AFS is not enabled on my BSD box and I don't need it. The only reference > > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to > > disable this behavior? > > Yes. > > [appdefaults] > kinit = { > afslog = no > } Perfect :) Now I can move forward and play with ypldap. Thanks. Claer
Re: LDAP & Kerberos authentification
On Wed, 19 May 2010, Claer wrote: > It seems that the client is trying to get a ticket for the afs client. > AFS is not enabled on my BSD box and I don't need it. The only reference > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to > disable this behavior? Yes. [appdefaults] kinit = { afslog = no } -- Antoine