Beck Zoltan Gyula <[EMAIL PROTECTED]> writes: > I'm trying to configure a kerberos server, I read the documentation and > followed the instructions, but something is wrong I think.
Make sure you've checked the usual things, in particular that the clocks on all of your machines agree to within five minutes. Which Kerberos are you trying to set up? > I have two debian sarge linux nodes on intranet (10.0.0.0/24) > with hostnames ha1.aitia and ha2.aitia. Teh kdc and the krb-admin server > is the ha1.aitia. > > The krb5.conf looks like: > > [libdefaults] > default_realm = INTRA.NET Do you have a more proper name? You can't rename Kerberos principals, even to change the realm, so if you have a "better" name that you're eventually going to use, you might want to start over and use that. > I have made the ktabbs for the two host: > ktadd -k /etc/ha1.keytab host/[EMAIL PROTECTED] > ktadd -k /etc/ha2.keytab host/[EMAIL PROTECTED] > > then I moved the ha1.keytab to ha1.aitia mashine /etc/krb5.keytab and the > ha2.keytab to ha2.aitia mashine /etc/krb5.keytab. It might be worthwhile to check that your keytabs agree with the Kerberos server, since generating a new keytab invalidates any old ones that exist. Run 'ktutil' on ha2 as root, then do 'rkt /etc/krb5.keytab' and 'l', and note the kvno listed for host/[EMAIL PROTECTED]; then, exit ktutil, and run 'kvno host/[EMAIL PROTECTED]' and make sure those agree. > I installed the ssh-krb5, krb5-user krb5-config libpam-krb5 packages on > each mashine and modified the ssh pam.d configuration to authenticate with > kerberos. You shouldn't need to do any PAM configuration; > # cat /etc/pam.d/ssh > #%PAM-1.0 > auth required pam_nologin.so > auth required pam_krb5.so that will just cause you to get a TGT on login if you use ssh password auth. (I think; I doubt it will cause Kerberos tickets to be a valid substitute for password auth.) > So I login to ha2.aitia and use the kinit: > > [EMAIL PROTECTED]:~$ kinit > Password for [EMAIL PROTECTED]: > [EMAIL PROTECTED]:~$ > > Then I try to ssh to ha1.aitia from ha2.aitia: > > [EMAIL PROTECTED]:~$ ssh ha1 > [EMAIL PROTECTED]'s password: > > why prompt the password? And this is not the kerberos prompt :( What does 'ssh -v ha1' say? It should mention which authentication it's trying. Also, check to see if 'klist' shows you with a host/ha2.aitia service ticket. You also might check to see if your ssh/sshd options disable ticket-based authentication; the default at least disables ticket forwarding, since malicious hosts could use that to steal your TGT. -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
