From what I'm seeing; this is more likely tied to the configuration requirements for setting up a host to support authentication for ssh via kerberos. Showing your krb5.conf would help (I suggest replacing internal hostnames and realms when sharing this kind of info).
Most likely the settings for resolving the KDC through DNS are set ( dns_lookup_realm = true, dns_lookup_kdc = true ) for the reason why you do not need a realm entry in your krb5.conf. This discussion explains what needs to be in place for you to be able to setup client authentication for SSH on ubuntu.. https://help.ubuntu.com/community/SingleSignOn#Client_Configuration Most specifically; Did you create the host principal in the KDC for the new host you are trying to access? On Thu, Jun 16, 2016 at 7:09 AM, Giuseppe Mazza <[email protected]> wrote: > (I apologize for my long email) > > I am going to try to provide some feedback: > # > # my (not) working scenario... > # > 1] Linux kerberos server: > Ubuntu 14.04.4 LTS \n \l > ii krb5-kdc 1.12+dfsg-2ub amd64 MIT Kerberos key > server (KDC) > > 2.a] Ubuntu 16.04 linux client, called futurama.doc.ic.ac.uk: > ii krb5-user 1.13.2+dfsg-5 amd64 Basic programs to > authenticate using MIT K > > > 2.b] Ubuntu 14.04 linux client, called bee.doc.ic.ac.uk: > ii krb5-user 1.12+dfsg-2ub amd64 Basic programs to > authenticate using MIT > > 3] same /etc/krb5.conf on both clients, i.e. no hardcoded hostnames of > my dc's. > > 4] I will be using my two accounts, [email protected] (user in the Windows > DC) and [email protected] (user in kerberos realm). > > The things I will describe work for bee.doc.ic.ac.uk, but not > for futurama.doc.ic.ac.uk. In particular I have noticed the things below: > > - it works: > gmazza2@futurama:~$ ssh gmazza2@futurama > > - it does not work: > gmazza2@futurama:~$ ssh gmazza@futurama > gmazza@futurama's password: > Permission denied, please try again. > gmazza@futurama's password: > > - it works: > gmazza2@futurama:~$ export KRB5_TRACE=/dev/stdout > gmazza2@futurama:~$ kinit [email protected] > [325] 1466081998.890390: Getting initial credentials for [email protected] > [325] 1466081998.890912: Sending request (169 bytes) to IC.AC.UK > [325] 1466081998.894103: Resolving hostname icads43.ic.ac.uk. > [325] 1466081998.896228: Sending initial UDP request to dgram > 129.31.100.150:88 > [325] 1466081998.899013: Received answer (174 bytes) from dgram > 129.31.100.150:88 > [325] 1466081998.900138: Response was not from master KDC > [325] 1466081998.900216: Received error from KDC: -1765328359/Additional > pre-authentication required > [325] 1466081998.900281: Processing preauth types: 16, 15, 19, 2 > [325] 1466081998.900308: Selected etype info: etype aes256-cts, salt > "IC.AC.UKgmazza", params "" > Password for [email protected]: debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > > [325] 1466082004.103603: AS key obtained for encrypted timestamp: > aes256-cts/1F56 > [325] 1466082004.103637: Encrypted timestamp (for 1466082003.328534): > plain 301AA011180F32303136303631363133303030335AA1050203050356, > encrypted > > C915E62DB9E0CE17F45BA2FDABB44DEF69EF02DAE0ADF1138204A1D114B27FF0AE505BB410C1FCB00E0F31BFE6939ED3E7B2C68B9C52FDA4 > [325] 1466082004.103654: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [325] 1466082004.103657: Produced preauth for next request: 2 > [325] 1466082004.103668: Sending request (247 bytes) to IC.AC.UK > [325] 1466082004.106120: Resolving hostname icads39.ic.ac.uk. > [325] 1466082004.106383: Sending initial UDP request to dgram > 155.198.63.21:88 > [325] 1466082004.110203: Received answer (88 bytes) from dgram > 155.198.63.21:88 > [325] 1466082004.111234: Response was not from master KDC > [325] 1466082004.111262: Received error from KDC: -1765328332/Response > too big for UDP, retry with TCP > [325] 1466082004.111268: Request or response is too big for UDP; > retrying with TCP > [325] 1466082004.111281: Sending request (247 bytes) to IC.AC.UK (tcp > only) > [325] 1466082004.112344: Resolving hostname icads44.ic.ac.uk. > [325] 1466082004.113626: Initiating TCP connection to stream > 129.31.47.2:88 > [325] 1466082004.114123: Sending TCP request to stream 129.31.47.2:88 > [325] 1466082004.117400: Received answer (2689 bytes) from stream > 129.31.47.2:88 > [325] 1466082004.117416: Terminating TCP connection to stream > 129.31.47.2:88 > [325] 1466082004.118434: Response was not from master KDC > [325] 1466082004.118467: Processing preauth types: 19 > [325] 1466082004.118475: Selected etype info: etype aes256-cts, salt > "IC.AC.UKgmazza", params "" > [325] 1466082004.118480: Produced preauth for next request: (empty) > [325] 1466082004.118489: AS key determined by preauth: aes256-cts/1F56 > [325] 1466082004.118538: Decrypted AS reply; session key is: > aes256-cts/5BA4 > [325] 1466082004.118555: FAST negotiation: unavailable > [325] 1466082004.118578: Initializing FILE:/tmp/krb5cc_868_TQFkWp with > default princ [email protected] > [325] 1466082004.118635: Storing [email protected] -> > krbtgt/[email protected] in FILE:/tmp/krb5cc_868_TQFkWp > [325] 1466082004.118662: Storing config in FILE:/tmp/krb5cc_868_TQFkWp > for krbtgt/[email protected]: pa_type: 2 > [325] 1466082004.118684: Storing [email protected] -> > krb5_ccache_conf_data/pa_type/krbtgt\/IC.AC.UK\@IC.AC.UK@X-CACHECONF: in > FILE:/tmp/krb5cc_868_TQFkWp > > gmazza2@futurama:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp > Default principal: [email protected] > > Valid starting Expires Service principal > 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/[email protected] > renew until 17/06/16 00:00:04, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > - it does not work: > gmazza2@futurama:~$ ssh gmazza2@futurama > [375] 1466082089.872003: ccselect can't find appropriate cache for > server principal host/[email protected] > [375] 1466082089.872158: Getting credentials [email protected] -> > host/[email protected] using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.872299: Retrieving [email protected] -> > host/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp > with result: -1765328243/Matching credential not found > [375] 1466082089.872397: Retrieving [email protected] -> > krbtgt/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp with > result: -1765328243/Matching credential not found > [375] 1466082089.872489: Retrieving [email protected] -> > krbtgt/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp with result: > 0/Success > [375] 1466082089.872507: Starting with TGT for client realm: > [email protected] -> krbtgt/[email protected] > [375] 1466082089.872611: Retrieving [email protected] -> > krbtgt/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp with > result: -1765328243/Matching credential not found > [375] 1466082089.872628: Requesting TGT krbtgt/[email protected] > using TGT krbtgt/[email protected] > [375] 1466082089.872694: Generated subkey for TGS request: aes256-cts/36BD > [375] 1466082089.872848: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, > des-cbc-crc, des, des-cbc-md4 > [375] 1466082089.873071: Encoding request body and padata into FAST request > [375] 1466082089.873237: Sending request (2863 bytes) to IC.AC.UK > [375] 1466082089.875549: Resolving hostname icads44.ic.ac.uk. > [375] 1466082089.876375: Sending initial UDP request to dgram > 129.31.47.2:88 > [375] 1466082089.878367: Received answer (311 bytes) from dgram > 129.31.47.2:88 > [375] 1466082089.879374: Response was not from master KDC > [375] 1466082089.879420: Decoding FAST response > [375] 1466082089.879497: Request or response is too big for UDP; > retrying with TCP > [375] 1466082089.879512: Sending request (2863 bytes) to IC.AC.UK (tcp > only) > [375] 1466082089.880644: Resolving hostname icads43.ic.ac.uk. > [375] 1466082089.881101: Initiating TCP connection to stream > 129.31.100.150:88 > [375] 1466082089.881629: Sending TCP request to stream 129.31.100.150:88 > [375] 1466082089.883386: Received answer (2758 bytes) from stream > 129.31.100.150:88 > [375] 1466082089.883408: Terminating TCP connection to stream > 129.31.100.150:88 > [375] 1466082089.884435: Response was not from master KDC > [375] 1466082089.884481: Decoding FAST response > [375] 1466082089.884661: FAST reply key: aes256-cts/C91B > [375] 1466082089.884730: TGS reply is for [email protected] -> > krbtgt/[email protected] with session key des-cbc-crc/A617 > [375] 1466082089.884819: TGS request result: 0/Success > [375] 1466082089.884838: Storing [email protected] -> > krbtgt/[email protected] in FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.884915: Received TGT for service realm: > krbtgt/[email protected] > [375] 1466082089.884927: Requesting tickets for > host/[email protected], referrals on > [375] 1466082089.884955: Generated subkey for TGS request: des-cbc-crc/14B2 > [375] 1466082089.885000: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, > des-cbc-crc, des, des-cbc-md4 > [375] 1466082089.885099: Encoding request body and padata into FAST request > [375] 1466082089.885228: Sending request (2832 bytes) to DOC.IC.AC.UK > (tcp only) > [375] 1466082089.885263: Resolving hostname kerberos.doc.ic.ac.uk > [375] 1466082089.885710: Initiating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.886276: Terminating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.886314: Resolving hostname kerberos1.doc.ic.ac.uk > [375] 1466082089.886738: Initiating TCP connection to stream > 146.169.1.11:88 > [375] 1466082089.887249: Terminating TCP connection to stream > 146.169.1.11:88 > [375] 1466082089.887270: Resolving hostname kerberos2.doc.ic.ac.uk > [375] 1466082089.887611: Initiating TCP connection to stream > 146.169.1.71:88 > [375] 1466082089.888136: Terminating TCP connection to stream > 146.169.1.71:88 > [375] 1466082089.889673: ccselect can't find appropriate cache for > server principal host/[email protected] > [375] 1466082089.889789: Getting credentials [email protected] -> > host/[email protected] using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.889906: Retrieving [email protected] -> > host/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp > with result: -1765328243/Matching credential not found > [375] 1466082089.890009: Retrieving [email protected] -> > krbtgt/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp with > result: 0/Success > [375] 1466082089.890024: Found cached TGT for service realm: > [email protected] -> krbtgt/[email protected] > [375] 1466082089.890033: Requesting tickets for > host/[email protected], referrals on > [375] 1466082089.890062: Generated subkey for TGS request: des-cbc-crc/B04E > [375] 1466082089.890113: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, > des-cbc-crc, des, des-cbc-md4 > [375] 1466082089.890252: Encoding request body and padata into FAST request > [375] 1466082089.890394: Sending request (2832 bytes) to DOC.IC.AC.UK > [375] 1466082089.890446: Resolving hostname kerberos.doc.ic.ac.uk > [375] 1466082089.890897: Initiating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.891502: Terminating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.891525: Resolving hostname kerberos.doc.ic.ac.uk > [375] 1466082089.891874: Sending initial UDP request to dgram > 146.169.1.157:750 > [375] 1466082089.893602: Received answer (861 bytes) from dgram > 146.169.1.157:750 > [375] 1466082089.894766: Response was not from master KDC > [375] 1466082089.894812: Decoding FAST response > [375] 1466082089.894897: FAST reply key: des-cbc-crc/EE43 > [375] 1466082089.894953: TGS reply is for [email protected] -> > host/[email protected] with session key aes256-cts/4216 > [375] 1466082089.894987: TGS request result: 0/Success > [375] 1466082089.894997: Received creds for desired service > host/[email protected] > [375] 1466082089.895012: Storing [email protected] -> > host/[email protected] in FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.895181: Creating authenticator for [email protected] -> > host/[email protected], seqnum 683096606, subkey > aes256-cts/1E3F, session key aes256-cts/4216 > [375] 1466082089.896680: ccselect can't find appropriate cache for > server principal host/[email protected] > [375] 1466082089.896837: Getting credentials [email protected] -> > host/[email protected] using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.896953: Retrieving [email protected] -> > host/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp > with result: 0/Success > [375] 1466082089.897036: Creating authenticator for [email protected] -> > host/[email protected], seqnum 249884086, subkey > aes256-cts/FDB1, session key aes256-cts/4216 > [375] 1466082089.898397: ccselect can't find appropriate cache for > server principal host/[email protected] > [375] 1466082089.898517: Getting credentials [email protected] -> > host/[email protected] using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.898630: Retrieving [email protected] -> > host/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp > with result: 0/Success > [375] 1466082089.898760: Getting credentials [email protected] -> > host/[email protected] using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.898865: Retrieving [email protected] -> > host/[email protected] from FILE:/tmp/krb5cc_868_TQFkWp > with result: 0/Success > [375] 1466082089.898946: Creating authenticator for [email protected] -> > host/[email protected], seqnum 1071734415, subkey > aes256-cts/0F2B, session key aes256-cts/4216 > gmazza2@futurama's password: > > > BUT... > - there are gmazza's tickets now: > gmazza2@futurama:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp > Default principal: [email protected] > > Valid starting Expires Service principal > 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/[email protected] > renew until 17/06/16 00:00:04, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 16/06/16 14:01:29 17/06/16 00:00:04 krbtgt/[email protected] > renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc, > des-cbc-md5 > 16/06/16 14:01:29 17/06/16 00:00:04 > host/[email protected] > Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > > - it works the second time with the same command "ssh gmazza@futurama" > gmazza2@futurama:~$ export KRB5_TRACE= > gmazza2@futurama:~$ ssh gmazza@futurama uptime > 14:02:58 up 21:31, 2 users, load average: 0.01, 0.05, 0.07 > > > Sorry for my long email. > Hope my description makes sense. > > Cheers, > Giuseppe > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
