I did the single sign on working, but now Im trying to do aix authenticate using kerberos to a 2003 AD without ticket verification (non single sign on)
Now..the password changes in AD is immediately noticed by cleint(AIX). But I still have problem with ssh telnet and ftp. and i have my tgt_verify flag=false in order not to use keytab file... I can use the same user's password on the aix machine (even after password reset in AD) bash-3.00# /usr/krb5/bin/kinit test5 Password for [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> : bash-3.00# but not ssh, telnet or ftp... ssh result: ---------- bash-3.00# ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: telnet result: ------------ [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Unsupported key table format version number ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Unsupported key table format version number ] telnet (vx32) AIX Version 5 (C) Copyrights by IBM and by others 1982, 2005. login: test4 test4's Password: 3004-007 You entered an invalid login name or password. login: my krb5.conf (this is thousandth time edited file already)...but this one works with the single sign on... ==================================== [libdefaults] default_realm = X.Y.NET # default_keytab_name = FILE:/etc/krb5/krb5.keytab //someone asked me to try to comment it but ti don't make a different # default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc # default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 [realms] X.Y.NET = { kdc = abc.x.y.net:88 admin_server = abc.x.y.net:749 default_domain = x.y.net } [domain_realm] .x.y.net = X.Y.NET abc.x.y.net = X.Y.NET # abc.x.y.net = X.Y.NET [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log ======================================= my methods.cfg (also edited thousandth times too) ======================================= KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 # options = authonly options = tgt_verify = no KRB5Afiles: options = db=BUILTIN,auth=KRB5A NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE LDAP: program = /usr/lib/security/LDAP program_64 = /usr/lib/security/LDAP64 PAM: program = /usr/lib/security/PAM PAMfiles: options = auth=PAM,db=BUILTIN ====================================== This is how I make user in aix(client): bash-3.00# mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles auth_domain=dalabb.volvo.net test5 bash-3.00# su test5 bash-3.00# whoami test5 bash-3.00# lsauthent Kerberos 5 Standard Aix bash-3.00# echo $AUTHSTATE compat When I tried ssh -v, below is the output: It's still prompt for the password again bash-3.00# ssh -v [EMAIL PROTECTED] OpenSSH_4.2p1, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /soe3/opt/openssh-4.2p1/etc/ssh_config debug1: Connecting to vx32 [131.97.95.41] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.2 debug1: match: OpenSSH_4.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'vx32' is known and matches the DSA host key. debug1: Found key in /.ssh/known_hosts:4 debug1: ssh_dss_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password [EMAIL PROTECTED]'s password: debug1: Authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. [EMAIL PROTECTED]'s password: ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
