I am trying to setup a test kdc server and workstation. After I did the setup I can login as user5 using the kerberos password. But there still seems to be a problem.
When I telnet from station5 (kerberos server) to station6 (workstation) I get the following error [krb5-telnet is on] ------------------------------- Waiting for encryption to be negotiated... Negotiation of authentication, which is required for encryption, has failed. Good-bye. --------------------------------------- When I login to either station5 or station6 using the user5 kerberos password (login or ssh), everything seems to be working. But when I go from ssh from station6 to station5 it request another login. I thought kerberos would only require me to login to station6 and then I could ssh directly to station5 without re-entering the password. Following are my krb5kdc.log messages as mapped by step. Following this are my /etc/krb5.conf, /var/kerberos/krb5kdc/kdc.conf files and my results from getprincs. What I am trying to determine is what are these log messages telling me and do they give an indication of what maybe or is my problem. ####### telnet from station5 to station6 ####### telnet -Fxl user5 station6.example.com Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1}, us...@station5.example.com for host/ station6.example....@station5.example.com Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1}, us...@station5.example.com for host/ station6.example....@station5.example.com Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1}, us...@station5.example.com for krbtgt/ station5.example....@station5.example.com Jan 19 22:01:51 station5 krb5kdc[1876](info): TGS_REQ (1 etypes {1}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=1}, us...@station5.example.com for krbtgt/ station5.example....@station5.example.com ###### Following is the messages in krb5kdc.log after ssh login ###### from a computer outside realm to ###### us...@station6.example.com Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: NEEDED_PREAUTH: us...@station5.example.com for krbtgt/station5.example....@station5.example.com, Additional pre- authentication required Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: NEEDED_PREAUTH: us...@station5.example.com for krbtgt/station5.example....@station5.example.com, Additional pre- authentication required Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for krbtgt/ station5.example....@station5.example.com Jan 19 21:56:22 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for krbtgt/ station5.example....@station5.example.com Jan 19 21:56:22 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for host/ station6.example....@station5.example.com Jan 19 21:56:22 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: ISSUE: authtime 1232423782, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for host/ station6.example....@station5.example.com ##### this is after starting the ssh login from station6 to station5 ##### ssh station5.example.com -l user5 ##### password has not been entered Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782, us...@station5.example.com for host/stati...@station5.example.com, Server not found in Kerberos database Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782, us...@station5.example.com for host/stati...@station5.example.com, Server not found in Kerberos database Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782, us...@station5.example.com for host/stati...@station5.example.com, Server not found in Kerberos database Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782, us...@station5.example.com for host/stati...@station5.example.com, Server not found in Kerberos database Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782, us...@station5.example.com for host/stati...@station5.example.com, Server not found in Kerberos database Jan 19 21:59:05 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.6: UNKNOWN_SERVER: authtime 1232423782, us...@station5.example.com for host/stati...@station5.example.com, Server not found in Kerberos database #####after password entry when ssh from station6 to station5 Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.5: NEEDED_PREAUTH: us...@station5.example.com for krbtgt/station5.example....@station5.example.com, Additional pre- authentication required Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.5: NEEDED_PREAUTH: us...@station5.example.com for krbtgt/station5.example....@station5.example.com, Additional pre- authentication required Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for krbtgt/ station5.example....@station5.example.com Jan 19 21:59:37 station5 krb5kdc[1876](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for krbtgt/ station5.example....@station5.example.com Jan 19 21:59:37 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for host/ station5.example....@station5.example.com Jan 19 21:59:37 station5 krb5kdc[1876](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.5: ISSUE: authtime 1232423977, etypes {rep=16 tkt=16 ses=16}, us...@station5.example.com for host/ station5.example....@station5.example.com ##### results of getprincs K/m...@station5.example.com host/station5.example....@station5.example.com host/station6.example....@station5.example.com kadmin/ad...@station5.example.com kadmin/chang...@station5.example.com kadmin/hist...@station5.example.com kadmin/stati...@station5.example.com krbtgt/station5.example....@station5.example.com root/ad...@station5.example.com us...@station5.example.com #####following is my /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STATION5.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] STATION5.EXAMPLE.COM = { kdc = 192.168.1.5:88 admin_server = 192.168.1.5:749 } [domain_realm] station5.example.com = STATION5.EXAMPLE.COM station6.example.com = STATION5.EXAMPLE.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { validate = true debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ##### Following are the results of getprincs Authenticating as principal root/ad...@station5.example.com with password. kadmin.local: getprincs K/m...@station5.example.com host/station5.example....@station5.example.com host/station6.example....@station5.example.com kadmin/ad...@station5.example.com kadmin/chang...@station5.example.com kadmin/hist...@station5.example.com kadmin/stati...@station5.example.com krbtgt/station5.example....@station5.example.com root/ad...@station5.example.com us...@station5.example.com ############Following is my /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] STATION5.EXAMPLE.COM = { master_key_type = des3-hmac-sha1 default_principal_flags = +preauth # supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des- hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos