Wilson, Michael <[EMAIL PROTECTED]> wrote: > Hello, > > We are running into problems with the installation of Kerberos V5 on > and hpux 11.11 machine. > > When we try to login using Active Directory Authentication we get the > following in our debug.log file: > > May 8 09:59:21 PAM: load_function: successful load of > pam_sm_authenticate > May 8 09:59:21 PAM: pam_set_item(8) > May 8 09:59:21 PAM: load_modules: /usr/lib/security/libpam_unix.1 > May 8 09:59:41 PAM: pam_set_item(6) > May 8 09:59:41 PAM: [Cannot find KDC for requested realm] Unable to > verify Kerberos V5 TGT: [abc.diebold.com] > May 8 09:59:41 PAM: Kerberos V5 TGT bad: Cannot find KDC for > requested realm
Appears that you do not have host keytabs setup. (Or have them setup incorrectly.) You need to use ktpass.exe on Windows to generate host keytabs for your machines and copy the generated keytabs to the correct location on the hpux systems. I'm not sure where that is on HPUX, but its usually /etc/krb5.keytab (Linux) or /etc/krb5/krb5.keytab (Solaris.) You also must have a properly configured hostname and /etc/hosts file for this system, and proper DNS, etc. What does klist -kte (as root) list? > May 8 09:59:21 PAM: load_function: successful load of > pam_sm_authenticate > May 8 09:59:41 PAM: while verifying tgt[Unknown code ____ 255] > > We can login using KDC/AD credentials by using kinit. The ticket gets > created and is placed in the /tmp directory > We verify that there was a ticket made and when it will expire by > using the klist. It works as well along with kdestroy. Kinit doesn't use the host keytab to verify the KDC. It uses the fact that the user knows their password. In order for the hpux machine to verify that it is communicating with the correct KDC it needs its own password, in the form of a host keytab. Do you need to specify the realm name when you kinit? What does your krb5.conf file look like and what AD realm do you need to use? > When we type login from the command prompt to try logging back into > the same localhost or another hpux machine > we get the same error as mentioned above. > > We have Linux machines running RHEL 4 and Kerberos that work just > fine. Is highly likely that your Linux machines are not as secure as they could be as they probably are NOT verifiying that the KDC they communicate with is not being spoofed. You really should have a host keytab on your Linux machines as well, but for some reason a large number of Linux vedors default to allowing authentication without the host keytab. It seems that real UNIX vendors (Sun for Solaris, IBM for AIX, etc.) require the host keytab by default and require a configuration change to ignore the missing keytyab problem. <<CDC ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
