Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 14:21, Enrico Scichilone wrote:
> Am 19.05.2010 20:52, schrieb Claer:
> >However, on the kerberos server side, no request have been made to the
> >"claer" account :
> >May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
> >23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
> >krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
> >database
> >
> >Thanks for helping me so far!
> >
> >Claer
> >
>
> Hi Claer,
> I'm not sure if this may help, but I asked myself if the client/user
> you are connecting from is using kerberos.
There shouldn't be any difference. In this case, Kerberos is used to
verify the authentication of the user from the ssh server point of view
not to verify if the user has already a krb ticket and login him
automatically.
However I did the test and it didn't change anything (as expected :) )
Claer
Re: LDAP & Kerberos authentification
Am 19.05.2010 20:52, schrieb Claer:
However, on the kerberos server side, no request have been made to the
"claer" account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Thanks for helping me so far!
Claer
Hi Claer,
I'm not sure if this may help, but I asked myself if the client/user you
are connecting from is using kerberos.
HTH.
enni | telsh
--
"Es ist sinnlos zu sagen: Wir tun unser Bestes.
Es muC dir gelingen, das zu tun, was erforderlich ist."
-- Winston Churchill
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 01:18, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
> > claer:*:1000:1000:Claer:/home/claer:/bin/ksh
> >
> > Now the next step is to try an authentification with ssh. That's why
> > /etc/login.conf has been modified regarding auth entry :
> >
> > auth-defaults:auth=krb5-or-pwd,passwd:
> >
> > But, when I try to ssh in with -l claer, sshd doesn't seem to find
> > the "claer" passwd entry and I have this line on the kerberos server :
> >
> > May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5
> > 23 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
> > krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
> > database
> >
> > Any hint ?
>
> Did you add your host principal to /etc/kerberosV/krb5.keytab?
Yep. If the "claer" local account is enabled, it's working fine with
Kerberos auth. I can confirm this by watching log files and I even tried
to alter the hashed passwd with vipw to be sure I was not using the
local password.
ypldap + ypbind are working fine :
# tail -n 2 /etc/passwd
_claer:*:1000:1000:Claer:/home/claer:/bin/ksh
+:*:0:0:::/bin/ksh
# getent passwd | tail -n 4
_claer:$2a$06$SgIzOv47AbodJPX7jzgAoOioV322Dk5Cha9VCyqgU/b6/YUDU4TM6:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
megami:*:1001:1001:Megami:/home/megami:/bin/ksh
nobody:*:65534:65534:nobody:/nonexistent:/bin/ksh
I started a test ssh server on port to check. Here are the
interesting debug logs :
debug1: userauth-request for user claer service ssh-connection method none
debug1: attempt 0 failures 0
debug1: unable to get login class: claer
input_userauth_request: invalid user claer
Failed none for invalid user claer from 172.16.1.100 port 52325 ssh2
debug1: userauth-request for user claer service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: userauth-request for user claer service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=claer devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
debug1: userauth-request for user claer service ssh-connection method password
debug1: attempt 3 failures 2
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 4294967295/4294967295 (e=0/0)
debug1: restore_uid: 0/0
debug1: Kerberos password authentication failed: Client not found in Kerberos
database
debug1: krb5_cleanup_proc called
Failed password for invalid user claer from 172.16.1.100 port 52325 ssh2
The logextact from authlog :
May 19 20:44:24 socrate krb5-or-pwd: verify: Client not found in Kerberos
database
However, on the kerberos server side, no request have been made to the
"claer" account :
May 19 20:44:56 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Thanks for helping me so far!
Claer
Re: LDAP & Kerberos authentification
On Wed, 19 May 2010, Claer wrote:
> _claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
> claer:*:1000:1000:Claer:/home/claer:/bin/ksh
>
> Now the next step is to try an authentification with ssh. That's why
> /etc/login.conf has been modified regarding auth entry :
>
> auth-defaults:auth=krb5-or-pwd,passwd:
>
> But, when I try to ssh in with -l claer, sshd doesn't seem to find
> the "claer" passwd entry and I have this line on the kerberos server :
>
> May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23
> 3 2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
> krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos
> database
>
> Any hint ?
Did you add your host principal to /etc/kerberosV/krb5.keytab?
--
Antoine
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > It seems that the client is trying to get a ticket for the afs client.
> > AFS is not enabled on my BSD box and I don't need it. The only reference
> > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to
> > disable this behavior?
>
> Yes.
>
> [appdefaults]
> kinit = {
> afslog = no
> }
Continuing to play with Kerberos, I'm adding ypldap into play.
This time, I'd like to use ldap to add entries to getent passwd
and Kerberos for authentification (I'd like to avoid the login_ldap
step is possible). As my kerberos setup is now ok, I declared the LDAP
server on /etc/ypldap.conf, started portmap ypldap ypbind, added the
"+:" entries to passwd and group.
Now, I have a working ypbind system. To confirm this, I renamed my
local account as _claer using vipw and verified the output of
getent passwd :
# getent passwd | grep claer
_claer:$2a$06$SgI[...]:1000:1000:Claer:/home/claer:/bin/ksh
claer:*:1000:1000:Claer:/home/claer:/bin/ksh
Now the next step is to try an authentification with ssh. That's why
/etc/login.conf has been modified regarding auth entry :
auth-defaults:auth=krb5-or-pwd,passwd:
But, when I try to ssh in with -l claer, sshd doesn't seem to find
the "claer" passwd entry and I have this line on the kerberos server :
May 19 17:18:46 diogene krb5kdc[18818](info): AS_REQ (8 etypes {18 17 16 5 23 3
2 1}) 172.16.1.1: CLIENT_NOT_FOUND: nou...@claer.hammock.fr for
krbtgt/claer.hammock...@claer.hammock.fr, Client not found in Kerberos database
Any hint ?
Regards,
Claer
Re: LDAP & Kerberos authentification
On Wed, May 19 2010 at 17:11, Antoine Jacoutot wrote:
> On Wed, 19 May 2010, Claer wrote:
> > It seems that the client is trying to get a ticket for the afs client.
> > AFS is not enabled on my BSD box and I don't need it. The only reference
> > I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to
> > disable this behavior?
>
> Yes.
>
> [appdefaults]
> kinit = {
> afslog = no
> }
Perfect :)
Now I can move forward and play with ypldap. Thanks.
Claer
Re: LDAP & Kerberos authentification
On Wed, 19 May 2010, Claer wrote:
> It seems that the client is trying to get a ticket for the afs client.
> AFS is not enabled on my BSD box and I don't need it. The only reference
> I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to
> disable this behavior?
Yes.
[appdefaults]
kinit = {
afslog = no
}
--
Antoine
