Hi list members!
I'm trying to configure a kerberos server, I read the documentation and
followed the instructions, but something is wrong I think.
I have two debian sarge linux nodes on intranet (10.0.0.0/24)
with hostnames ha1.aitia and ha2.aitia. Teh kdc and the krb-admin server
is the ha1.aitia.
The krb5.conf looks like:
[libdefaults]
default_realm = INTRA.NET
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
[realms]
INTRA.NET = {
kdc = ha1.aitia
admin_server = ha1.aitia
}
[domain_realm]
.aitia = INTRA.NET
aitia = INTRA.NET
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/log/kadmin.log
The kdc.conf looks like:
[kdcdefaults]
kdc_ports = 750,88
[realms]
INTRA.NET = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
I have made some principals:
kadmin: listprincs
[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
[EMAIL PROTECTED]
I have made the ktabbs for the two host:
ktadd -k /etc/ha1.keytab host/[EMAIL PROTECTED]
ktadd -k /etc/ha2.keytab host/[EMAIL PROTECTED]
then I moved the ha1.keytab to ha1.aitia mashine /etc/krb5.keytab and the
ha2.keytab to ha2.aitia mashine /etc/krb5.keytab.
I installed the ssh-krb5, krb5-user krb5-config libpam-krb5 packages on
each mashine and modified the ssh pam.d configuration to authenticate with
kerberos.
# cat /etc/pam.d/ssh
#%PAM-1.0
auth required pam_nologin.so
auth required pam_krb5.so
auth required pam_env.so # [1]
account required pam_unix.so
session required pam_unix.so
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password required pam_unix.so
So I login to ha2.aitia and use the kinit:
[EMAIL PROTECTED]:~$ kinit
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$
On ha1.aitia syslog appears:
==> /var/log/syslog <==
Feb 19 11:21:46 ha1 krb5kdc[424]: AS_REQ (6 etypes {18 16 23 1 3 2})
10.0.0.14: ISSUE: authtime 1077186106, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Then I try to ssh to ha1.aitia from ha2.aitia:
[EMAIL PROTECTED]:~$ ssh ha1
[EMAIL PROTECTED]'s password:
why prompt the password? And this is not the kerberos prompt :(
On ha1.aitia log now appears:
==> /var/log/syslog <==
Feb 19 11:24:54 ha1 krb5kdc[424]: TGS_REQ (5 etypes {16 23 1 3 2})
10.0.0.14: ISSUE: authtime 1077186287, etypes {rep=16 tkt=16 ses=16},
[EMAIL PROTECTED] for host/[EMAIL PROTECTED]
And this is the problem with windows 2000 clients, too :( with ksetup it
is setup the kerberos realm but colud not log in to windows :(
Can somebody help me, what's wrong or any idea?
Best regars
bzg
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
