Re: pamkrbval: KDC policy rejects request for this entryThis is a discussion on Re: pamkrbval: KDC policy rejects request for this entry within the Kerberos forums, part of the Protocols category; Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based on MIT 1.1.1 ?). ... | ||||||||
| ||||||||
| Unix Content | Register | FAQ | Calendar | Search | Today's Posts | Mark Forums Read |
|
#1
08-26-2008, 03:00 PM
|
 Re: pamkrbval: KDC policy rejects request for this entry Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based on MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES only. Secondly did you change the password of the unix_client user ? If not please try to change the password once and re-extract the keytab. Markus "Richard Curtis" news:5745a7060808261135s26134f5bg495452c33920af1f@ mail.gmail.com... > Hi, > I am trying to get an HPUX 11i box to authenticate against our > active directory (Windows 2003r2) domain with kerberos but I am > getting nowhere fast. > > As per the docs I have, I have created a user account in active > directory, then used "ktpass -princ > host/unix_client.domain.host.com@DOMAIN.HOST.COM -mapuser unix_lient > -pass > The keytab looks fine when I used ktutil, but I cannot do a kinit... I > keep getting "KDC policy rejects request for this entry" > > I am guessing this is more of a Windows/AD config issue, but thougt > someone here might have seen this? > > cat /etc/krb5.conf > [libdefaults] > default_realm = DOMAIN.HOST.COM > default_tgs_enctypes = DES-CBC-CRC > default_tkt_enctypes = DES-CBC-CRC > ccache_type = 2 > ticket_liftetime = 24000 > #dns_lookup_kdc = true > > [realms] > DOMAIN.HOST.COM = { > kdc = 2003_dc.domain.host.com > kpasswd_server = 2003_dc.domain.host.com:464 > } > > [domain_realm] > domain.host.com = DOMAIN.HOST.COM > .domain.host.com = DOMAIN.HOST.COM > > [logging] > default = FILE:/var/adm/krb5lib.log > kdc = FILE:/var/adm/krb5kdc.log > admin_server = FILE:/var/adm/kKDCmind.log > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > unix_client:/var/adm/syslog >pamkrbval -v > > Validating the pam configuration files > ---------- --- --- ------------- ----- > > Validating the /etc/pam.conf file > [LOG] : The /etc/pam.conf files permissions are fine > [LOG] : Opened : /etc/pam.conf > > [PASS] : The validation of config file: /etc/pam.conf passed > > [NOTICE] : The validation of config file: /etc/pam_user.conf is not done > as libpam_updbe library is not configured > > Validating the kerberos config file > ---------- --- -------- ------ ----- > [PASS] : Initialization of kerberos passed > > Connecting to default Realm > ---------- -- ------- ----- > [LOG] : The default realm is : DOMAIN.HOST.COM > [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com > [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM... > [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests > [PASS] : Default Realm is issuing tickets > > Validating the keytab entry for the host service principal > ---------- --- ------ ----- --- --- ---- ------- --------- > [LOG] : Host unix_client, aka unix_client.domain.host.com. > [LOG] : The default keytab name is : /etc/krb5.keytab > [LOG] : Keytab file /etc/krb5.keytab is present > [LOG] : Permissions on /etc/krb5.keytab are correct. > Keytab entry > Principal: host > Host : unix_client.domain.host.com > Realm : DOMAIN.HOST.COM > Version : 23 > [LOG] : Pinging KDC to verify whether > host/unix_client.domain.host.com@DOMAIN.HOST.COM exists > pamkrbval: KDC policy rejects request for this entry > [WARNING] : The keytab entry for the host service principal > host/unix_client.domain.host.com@DOMAIN.HOST.COM is invalid > [FAIL] : The keytab validation failed > > Validating the rc_host file for ownership > -------- ------ ---- -------- ------ ----- > [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system > [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful > > unix_client:/var/adm/syslog >ktutil -i > ktutil: rkt /etc/krb5.keytab > ktutil: list > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > 1 23 host/unix_client.domain@DOMAIN.HOST.COM > ktutil: > ktutil: unix_client:/var/adm/syslog > > > > unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab > host/unix_client.domain.host.com > kinit(v5): KDC policy rejects request while getting initial credentials > > Thanks in advance for any help > > Regards > > Richard > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >  |
