Re: pamkrbval: KDC policy rejects request for this entry - Kerberos

This is a discussion on Re: pamkrbval: KDC policy rejects request for this entry - Kerberos ; According to the HP release notes (I have Kerberos Client C.1.3.5.05): The client libraries are based on MIT Kerberos V5 1.3.5 release. The KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in RFC 1510 of the IETF. This ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: pamkrbval: KDC policy rejects request for this entry

  1. Re: pamkrbval: KDC policy rejects request for this entry

    According to the HP release notes (I have Kerberos Client C.1.3.5.05):

    The client libraries are based on MIT Kerberos V5 1.3.5 release. The
    KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
    RFC 1510 of the IETF. This release of Kerberos Client is interoperable
    with Microsoft Windows  2000 and 2003.

    I will try tomorrow when I am back in the office by setting the
    default_*_enctypes to RC4-HMAC... the strange thing is, the HP
    configuration guide I am following has a sample krb5.conf and only
    mentions DES... http://docs.hp.com/en/J4269-90076/index.html - there
    is no mention of RC4 in the whole document.
    I will try removing default_*_enctypes altogether aswell, and failing
    that, will have a go with DEC encryption only..

    If this turns out to be the solution, I will be over the moon... this
    has been dragging on for some time

    I will post back tomorrow with my results.. thanks for the replies so far guys.

    Regards

    Richard

    On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller wrote:
    > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
    > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based on
    > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
    > only. Secondly did you change the password of the unix_client user ? If not
    > please try to change the password once and re-extract the keytab.
    >
    > Markus
    >
    > "Richard Curtis" wrote in message
    > news:5745a7060808261135s26134f5bg495452c33920af1f@ mail.gmail.com...
    >> Hi,
    >> I am trying to get an HPUX 11i box to authenticate against our
    >> active directory (Windows 2003r2) domain with kerberos but I am
    >> getting nowhere fast.
    >>
    >> As per the docs I have, I have created a user account in active
    >> directory, then used "ktpass -princ
    >> host/unix_client.domain.host.com@DOMAIN.HOST.COM -mapuser unix_lient
    >> -pass -out c:\krb5.keytab"
    >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    >> keep getting "KDC policy rejects request for this entry"
    >>
    >> I am guessing this is more of a Windows/AD config issue, but thougt
    >> someone here might have seen this?
    >>
    >> cat /etc/krb5.conf
    >> [libdefaults]
    >> default_realm = DOMAIN.HOST.COM
    >> default_tgs_enctypes = DES-CBC-CRC
    >> default_tkt_enctypes = DES-CBC-CRC
    >> ccache_type = 2
    >> ticket_liftetime = 24000
    >> #dns_lookup_kdc = true
    >>
    >> [realms]
    >> DOMAIN.HOST.COM = {
    >> kdc = 2003_dc.domain.host.com
    >> kpasswd_server = 2003_dc.domain.host.com:464
    >> }
    >>
    >> [domain_realm]
    >> domain.host.com = DOMAIN.HOST.COM
    >> .domain.host.com = DOMAIN.HOST.COM
    >>
    >> [logging]
    >> default = FILE:/var/adm/krb5lib.log
    >> kdc = FILE:/var/adm/krb5kdc.log
    >> admin_server = FILE:/var/adm/kKDCmind.log
    >>
    >> [appdefaults]
    >> pam = {
    >> debug = false
    >> ticket_lifetime = 36000
    >> renew_lifetime = 36000
    >> forwardable = true
    >> krb4_convert = false
    >> }
    >>
    >> unix_client:/var/adm/syslog >pamkrbval -v
    >>
    >> Validating the pam configuration files
    >> ---------- --- --- ------------- -----
    >>
    >> Validating the /etc/pam.conf file
    >> [LOG] : The /etc/pam.conf files permissions are fine
    >> [LOG] : Opened : /etc/pam.conf
    >>
    >> [PASS] : The validation of config file: /etc/pam.conf passed
    >>
    >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
    >> as libpam_updbe library is not configured
    >>
    >> Validating the kerberos config file
    >> ---------- --- -------- ------ -----
    >> [PASS] : Initialization of kerberos passed
    >>
    >> Connecting to default Realm
    >> ---------- -- ------- -----
    >> [LOG] : The default realm is : DOMAIN.HOST.COM
    >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
    >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
    >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
    >> [PASS] : Default Realm is issuing tickets
    >>
    >> Validating the keytab entry for the host service principal
    >> ---------- --- ------ ----- --- --- ---- ------- ---------
    >> [LOG] : Host unix_client, aka unix_client.domain.host.com.
    >> [LOG] : The default keytab name is : /etc/krb5.keytab
    >> [LOG] : Keytab file /etc/krb5.keytab is present
    >> [LOG] : Permissions on /etc/krb5.keytab are correct.
    >> Keytab entry
    >> Principal: host
    >> Host : unix_client.domain.host.com
    >> Realm : DOMAIN.HOST.COM
    >> Version : 23
    >> [LOG] : Pinging KDC to verify whether
    >> host/unix_client.domain.host.com@DOMAIN.HOST.COM exists
    >> pamkrbval: KDC policy rejects request for this entry
    >> [WARNING] : The keytab entry for the host service principal
    >> host/unix_client.domain.host.com@DOMAIN.HOST.COM is invalid
    >> [FAIL] : The keytab validation failed
    >>
    >> Validating the rc_host file for ownership
    >> -------- ------ ---- -------- ------ -----
    >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
    >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
    >>
    >> unix_client:/var/adm/syslog >ktutil -i
    >> ktutil: rkt /etc/krb5.keytab
    >> ktutil: list
    >> slot KVNO Principal
    >> ---- ---- ---------------------------------------------------------------------
    >> 1 23 host/unix_client.domain@DOMAIN.HOST.COM
    >> ktutil:
    >> ktutil: unix_client:/var/adm/syslog >
    >>
    >>
    >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
    >> host/unix_client.domain.host.com
    >> kinit(v5): KDC policy rejects request while getting initial credentials
    >>
    >> Thanks in advance for any help
    >>
    >> Regards
    >>
    >> Richard
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



  2. Re: pamkrbval: KDC policy rejects request for this entry

    I have tried everyones suggestions, but no joy - although I think I
    can narrow down the problem somewhat...

    After changing the default_t*_enctypes to be "RC4-HMAC" (and also
    removing the lines altogether), I still get the same error...

    In the Windows security log on the domain controller, I have a Failure
    Audit with a result code from the request of 0xC which from some
    searching at Microsoft suggests:
    Requested start time is later than end time
    or Workstation login restrictions..

    From a packet capture using Wireshark, the AS-REQ packet there is an
    entry "till: 1970-01-01 00:00:00 (UTC)"
    It looks as though the requested lifetime of the packet here is in the
    past...

    Any suggestions around that?

    Regards

    Richard



    On 26 Aug, 20:32, "Richard Curtis" wrote:
    > According to the HP release notes (I have Kerberos Client C.1.3.5.05):
    >
    > The client libraries are based on MIT Kerberos V5 1.3.5 release. The
    > KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
    > RFC 1510 of the IETF. This release of Kerberos Client is interoperable
    > with Microsoft Windows * 2000 and 2003.
    >
    > I will try tomorrow when I am back in the office by setting the
    > default_*_enctypes to RC4-HMAC... the strange thing is, the HP
    > configuration guide I am following has a sample krb5.conf and only
    > mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
    > is no mention of RC4 in the whole document.
    > I will try removing default_*_enctypes altogether aswell, and failing
    > that, will have a go with DEC encryption only..
    >
    > If this turns out to be the solution, I will be over the moon... this
    > has been dragging on for some time
    >
    > I will post back tomorrow with my results.. thanks for the replies so farguys.
    >
    > Regards
    >
    > Richard
    >
    >
    >
    > On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller wrote:
    > > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
    > > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based*on
    > > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to beDES
    > > only. *Secondly did you change the password of the unix_client user ?If not
    > > please try to change the password once and re-extract the keytab.

    >
    > > Markus

    >
    > > "Richard Curtis" wrote in message
    > >news:5745a7060808261135s26134f5bg495452c33920af1f@ mail.gmail.com...
    > >> Hi,
    > >> *I am trying to get an HPUX 11i box to authenticate against our
    > >> active directory (Windows 2003r2) domain with kerberos but I am
    > >> getting nowhere fast.

    >
    > >> As per the docs I have, I have created a user account in active
    > >> directory, then used "ktpass -princ
    > >> host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
    > >> -pass -out c:\krb5.keytab"
    > >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    > >> keep getting "KDC policy rejects request for this entry"

    >
    > >> I am guessing this is more of a Windows/AD config issue, but thougt
    > >> someone here might have seen this?

    >
    > >> cat /etc/krb5.conf
    > >> [libdefaults]
    > >> default_realm = DOMAIN.HOST.COM
    > >> default_tgs_enctypes = DES-CBC-CRC
    > >> default_tkt_enctypes = DES-CBC-CRC
    > >> ccache_type = 2
    > >> ticket_liftetime = 24000
    > >> #dns_lookup_kdc = true

    >
    > >> [realms]
    > >> DOMAIN.HOST.COM = {
    > >> kdc = 2003_dc.domain.host.com
    > >> kpasswd_server = 2003_dc.domain.host.com:464
    > >> }

    >
    > >> [domain_realm]
    > >> domain.host.com = DOMAIN.HOST.COM
    > >> .domain.host.com = DOMAIN.HOST.COM

    >
    > >> [logging]
    > >> default = FILE:/var/adm/krb5lib.log
    > >> kdc = FILE:/var/adm/krb5kdc.log
    > >> admin_server = FILE:/var/adm/kKDCmind.log

    >
    > >> [appdefaults]
    > >> pam = {
    > >> debug = false
    > >> ticket_lifetime = 36000
    > >> renew_lifetime = 36000
    > >> forwardable = true
    > >> krb4_convert = false
    > >> }

    >
    > >> unix_client:/var/adm/syslog >pamkrbval -v

    >
    > >> Validating the pam configuration files
    > >> ---------- --- --- ------------- -----

    >
    > >> Validating the /etc/pam.conf file
    > >> [LOG] : The /etc/pam.conf files permissions are fine
    > >> [LOG] : Opened : /etc/pam.conf

    >
    > >> [PASS] : The validation of config file: /etc/pam.conf passed

    >
    > >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
    > >> * * * * * as libpam_updbe library is not configured

    >
    > >> Validating the kerberos config file
    > >> ---------- --- -------- ------ -----
    > >> [PASS] : Initialization of kerberos passed

    >
    > >> Connecting to default Realm
    > >> ---------- -- ------- -----
    > >> [LOG] : The default realm is : DOMAIN.HOST.COM
    > >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
    > >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
    > >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
    > >> [PASS] : Default Realm is issuing tickets

    >
    > >> Validating the keytab entry for the host service principal
    > >> ---------- --- ------ ----- --- --- ---- ------- ---------
    > >> [LOG] : Host unix_client, *aka unix_client.domain.host.com.
    > >> [LOG] : The default keytab name is : /etc/krb5.keytab
    > >> [LOG] : Keytab file /etc/krb5.keytab is present
    > >> [LOG] : Permissions on /etc/krb5.keytab are correct.
    > >> Keytab entry
    > >> Principal: host
    > >> Host * * : unix_client.domain.host.com
    > >> Realm * *: DOMAIN.HOST.COM
    > >> Version *: 23
    > >> [LOG] : Pinging KDC to verify whether
    > >> host/unix_client.domain.host....@DOMAIN.HOST.COM exists
    > >> pamkrbval: KDC policy rejects request for this entry
    > >> [WARNING] : The keytab entry for the host service principal
    > >> host/unix_client.domain.host....@DOMAIN.HOST.COM is invalid
    > >> [FAIL] : The keytab validation failed

    >
    > >> Validating the rc_host file for ownership
    > >> -------- ------ ---- -------- ------ -----
    > >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
    > >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

    >
    > >> unix_client:/var/adm/syslog >ktutil -i
    > >> ktutil: *rkt /etc/krb5.keytab
    > >> ktutil: *list
    > >> slot KVNO Principal
    > >> ---- ---- ---------------------------------------------------------------------
    > >> * 1 * 23 host/unix_client.dom...@DOMAIN.HOST.COM
    > >> ktutil:
    > >> ktutil: *unix_client:/var/adm/syslog >

    >
    > >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
    > >> host/unix_client.domain.host.com
    > >> kinit(v5): KDC policy rejects request while getting initial credentials

    >
    > >> Thanks in advance for any help

    >
    > >> Regards

    >
    > >> Richard
    > >> ________________________________________________
    > >> Kerberos mailing list * * * * * Kerbe...@mit.edu
    > >>https://mailman.mit.edu/mailman/listinfo/kerberos

    >
    > > ________________________________________________
    > > Kerberos mailing list * * * * * Kerbe...@mit.edu
    > >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -

    >
    > - Show quoted text -



  3. Re: pamkrbval: KDC policy rejects request for this entry

    Can you check that AD and your HP system are time synchronised ? Can you do
    a kinit unix_client with the correct password ? Do you have the kvno binary
    on the HP platform ? If so can you do a kvno
    host/unix_client.domain.host.com and compare the number with the one in the
    keytab ?

    Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?

    Regards
    Markus


    wrote in message
    news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com...
    I have tried everyones suggestions, but no joy - although I think I
    can narrow down the problem somewhat...

    After changing the default_t*_enctypes to be "RC4-HMAC" (and also
    removing the lines altogether), I still get the same error...

    In the Windows security log on the domain controller, I have a Failure
    Audit with a result code from the request of 0xC which from some
    searching at Microsoft suggests:
    Requested start time is later than end time
    or Workstation login restrictions..

    >From a packet capture using Wireshark, the AS-REQ packet there is an

    entry "till: 1970-01-01 00:00:00 (UTC)"
    It looks as though the requested lifetime of the packet here is in the
    past...

    Any suggestions around that?

    Regards

    Richard



    On 26 Aug, 20:32, "Richard Curtis" wrote:
    > According to the HP release notes (I have Kerberos Client C.1.3.5.05):
    >
    > The client libraries are based on MIT Kerberos V5 1.3.5 release. The
    > KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
    > RFC 1510 of the IETF. This release of Kerberos Client is interoperable
    > with Microsoft Windows 2000 and 2003.
    >
    > I will try tomorrow when I am back in the office by setting the
    > default_*_enctypes to RC4-HMAC... the strange thing is, the HP
    > configuration guide I am following has a sample krb5.conf and only
    > mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
    > is no mention of RC4 in the whole document.
    > I will try removing default_*_enctypes altogether aswell, and failing
    > that, will have a go with DEC encryption only..
    >
    > If this turns out to be the solution, I will be over the moon... this
    > has been dragging on for some time
    >
    > I will post back tomorrow with my results.. thanks for the replies so far
    > guys.
    >
    > Regards
    >
    > Richard
    >
    >
    >
    > On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller
    > wrote:
    > > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your
    > > configuration
    > > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based
    > > on
    > > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be
    > > DES
    > > only. Secondly did you change the password of the unix_client user ? If
    > > not
    > > please try to change the password once and re-extract the keytab.

    >
    > > Markus

    >
    > > "Richard Curtis" wrote in message
    > >news:5745a7060808261135s26134f5bg495452c33920af1f@ mail.gmail.com...
    > >> Hi,
    > >> I am trying to get an HPUX 11i box to authenticate against our
    > >> active directory (Windows 2003r2) domain with kerberos but I am
    > >> getting nowhere fast.

    >
    > >> As per the docs I have, I have created a user account in active
    > >> directory, then used "ktpass -princ
    > >> host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
    > >> -pass -out c:\krb5.keytab"
    > >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    > >> keep getting "KDC policy rejects request for this entry"

    >
    > >> I am guessing this is more of a Windows/AD config issue, but thougt
    > >> someone here might have seen this?

    >
    > >> cat /etc/krb5.conf
    > >> [libdefaults]
    > >> default_realm = DOMAIN.HOST.COM
    > >> default_tgs_enctypes = DES-CBC-CRC
    > >> default_tkt_enctypes = DES-CBC-CRC
    > >> ccache_type = 2
    > >> ticket_liftetime = 24000
    > >> #dns_lookup_kdc = true

    >
    > >> [realms]
    > >> DOMAIN.HOST.COM = {
    > >> kdc = 2003_dc.domain.host.com
    > >> kpasswd_server = 2003_dc.domain.host.com:464
    > >> }

    >
    > >> [domain_realm]
    > >> domain.host.com = DOMAIN.HOST.COM
    > >> .domain.host.com = DOMAIN.HOST.COM

    >
    > >> [logging]
    > >> default = FILE:/var/adm/krb5lib.log
    > >> kdc = FILE:/var/adm/krb5kdc.log
    > >> admin_server = FILE:/var/adm/kKDCmind.log

    >
    > >> [appdefaults]
    > >> pam = {
    > >> debug = false
    > >> ticket_lifetime = 36000
    > >> renew_lifetime = 36000
    > >> forwardable = true
    > >> krb4_convert = false
    > >> }

    >
    > >> unix_client:/var/adm/syslog >pamkrbval -v

    >
    > >> Validating the pam configuration files
    > >> ---------- --- --- ------------- -----

    >
    > >> Validating the /etc/pam.conf file
    > >> [LOG] : The /etc/pam.conf files permissions are fine
    > >> [LOG] : Opened : /etc/pam.conf

    >
    > >> [PASS] : The validation of config file: /etc/pam.conf passed

    >
    > >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not
    > >> done
    > >> as libpam_updbe library is not configured

    >
    > >> Validating the kerberos config file
    > >> ---------- --- -------- ------ -----
    > >> [PASS] : Initialization of kerberos passed

    >
    > >> Connecting to default Realm
    > >> ---------- -- ------- -----
    > >> [LOG] : The default realm is : DOMAIN.HOST.COM
    > >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
    > >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
    > >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
    > >> [PASS] : Default Realm is issuing tickets

    >
    > >> Validating the keytab entry for the host service principal
    > >> ---------- --- ------ ----- --- --- ---- ------- ---------
    > >> [LOG] : Host unix_client, aka unix_client.domain.host.com.
    > >> [LOG] : The default keytab name is : /etc/krb5.keytab
    > >> [LOG] : Keytab file /etc/krb5.keytab is present
    > >> [LOG] : Permissions on /etc/krb5.keytab are correct.
    > >> Keytab entry
    > >> Principal: host
    > >> Host : unix_client.domain.host.com
    > >> Realm : DOMAIN.HOST.COM
    > >> Version : 23
    > >> [LOG] : Pinging KDC to verify whether
    > >> host/unix_client.domain.host....@DOMAIN.HOST.COM exists
    > >> pamkrbval: KDC policy rejects request for this entry
    > >> [WARNING] : The keytab entry for the host service principal
    > >> host/unix_client.domain.host....@DOMAIN.HOST.COM is invalid
    > >> [FAIL] : The keytab validation failed

    >
    > >> Validating the rc_host file for ownership
    > >> -------- ------ ---- -------- ------ -----
    > >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
    > >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

    >
    > >> unix_client:/var/adm/syslog >ktutil -i
    > >> ktutil: rkt /etc/krb5.keytab
    > >> ktutil: list
    > >> slot KVNO Principal
    > >> ---- ---- ---------------------------------------------------------------------
    > >> 1 23 host/unix_client.dom...@DOMAIN.HOST.COM
    > >> ktutil:
    > >> ktutil: unix_client:/var/adm/syslog >

    >
    > >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
    > >> host/unix_client.domain.host.com
    > >> kinit(v5): KDC policy rejects request while getting initial credentials

    >
    > >> Thanks in advance for any help

    >
    > >> Regards

    >
    > >> Richard
    > >> ________________________________________________
    > >> Kerberos mailing list Kerbe...@mit.edu
    > >>https://mailman.mit.edu/mailman/listinfo/kerberos

    >
    > > ________________________________________________
    > > Kerberos mailing list Kerbe...@mit.edu
    > >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -

    >
    > - Show quoted text -


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



  4. Re: pamkrbval: KDC policy rejects request for this entry



    Markus Moeller wrote:
    > Can you check that AD and your HP system are time synchronised ? Can you do
    > a kinit unix_client with the correct password ? Do you have the kvno binary
    > on the HP platform ? If so can you do a kvno
    > host/unix_client.domain.host.com and compare the number with the one in the
    > keytab ?
    >
    > Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?


    This could also be something to do with the use of the 197001010000Z
    in the till field if the AS_REQ This was not in RFC 1510, but is in 4120.
    It looks like the HP is adding this. AD 2003 may not accept it. I don't
    have any client test code to see if this is an AD problem.

    >
    > Regards
    > Markus
    >
    >
    > wrote in message
    > news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com...
    > I have tried everyones suggestions, but no joy - although I think I
    > can narrow down the problem somewhat...
    >
    > After changing the default_t*_enctypes to be "RC4-HMAC" (and also
    > removing the lines altogether), I still get the same error...
    >
    > In the Windows security log on the domain controller, I have a Failure
    > Audit with a result code from the request of 0xC which from some
    > searching at Microsoft suggests:
    > Requested start time is later than end time
    > or Workstation login restrictions..
    >
    >>From a packet capture using Wireshark, the AS-REQ packet there is an

    > entry "till: 1970-01-01 00:00:00 (UTC)"
    > It looks as though the requested lifetime of the packet here is in the
    > past...
    >
    > Any suggestions around that?
    >
    > Regards
    >
    > Richard
    >
    >
    >
    > On 26 Aug, 20:32, "Richard Curtis" wrote:
    >> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
    >>
    >> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
    >> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
    >> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
    >> with Microsoft Windows 2000 and 2003.
    >>
    >> I will try tomorrow when I am back in the office by setting the
    >> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
    >> configuration guide I am following has a sample krb5.conf and only
    >> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
    >> is no mention of RC4 in the whole document.
    >> I will try removing default_*_enctypes altogether aswell, and failing
    >> that, will have a go with DEC encryption only..
    >>
    >> If this turns out to be the solution, I will be over the moon... this
    >> has been dragging on for some time
    >>
    >> I will post back tomorrow with my results.. thanks for the replies so far
    >> guys.
    >>
    >> Regards
    >>
    >> Richard
    >>
    >>
    >>
    >> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller
    >> wrote:
    >>> Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your
    >>> configuration
    >>> assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based
    >>> on
    >>> MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be
    >>> DES
    >>> only. Secondly did you change the password of the unix_client user ? If
    >>> not
    >>> please try to change the password once and re-extract the keytab.
    >>> Markus
    >>> "Richard Curtis" wrote in message
    >>> news:5745a7060808261135s26134f5bg495452c33920af1f@ mail.gmail.com...
    >>>> Hi,
    >>>> I am trying to get an HPUX 11i box to authenticate against our
    >>>> active directory (Windows 2003r2) domain with kerberos but I am
    >>>> getting nowhere fast.
    >>>> As per the docs I have, I have created a user account in active
    >>>> directory, then used "ktpass -princ
    >>>> host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
    >>>> -pass -out c:\krb5.keytab"
    >>>> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    >>>> keep getting "KDC policy rejects request for this entry"
    >>>> I am guessing this is more of a Windows/AD config issue, but thougt
    >>>> someone here might have seen this?
    >>>> cat /etc/krb5.conf
    >>>> [libdefaults]
    >>>> default_realm = DOMAIN.HOST.COM
    >>>> default_tgs_enctypes = DES-CBC-CRC
    >>>> default_tkt_enctypes = DES-CBC-CRC
    >>>> ccache_type = 2
    >>>> ticket_liftetime = 24000
    >>>> #dns_lookup_kdc = true
    >>>> [realms]
    >>>> DOMAIN.HOST.COM = {
    >>>> kdc = 2003_dc.domain.host.com
    >>>> kpasswd_server = 2003_dc.domain.host.com:464
    >>>> }
    >>>> [domain_realm]
    >>>> domain.host.com = DOMAIN.HOST.COM
    >>>> .domain.host.com = DOMAIN.HOST.COM
    >>>> [logging]
    >>>> default = FILE:/var/adm/krb5lib.log
    >>>> kdc = FILE:/var/adm/krb5kdc.log
    >>>> admin_server = FILE:/var/adm/kKDCmind.log
    >>>> [appdefaults]
    >>>> pam = {
    >>>> debug = false
    >>>> ticket_lifetime = 36000
    >>>> renew_lifetime = 36000
    >>>> forwardable = true
    >>>> krb4_convert = false
    >>>> }
    >>>> unix_client:/var/adm/syslog >pamkrbval -v
    >>>> Validating the pam configuration files
    >>>> ---------- --- --- ------------- -----
    >>>> Validating the /etc/pam.conf file
    >>>> [LOG] : The /etc/pam.conf files permissions are fine
    >>>> [LOG] : Opened : /etc/pam.conf
    >>>> [PASS] : The validation of config file: /etc/pam.conf passed
    >>>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not
    >>>> done
    >>>> as libpam_updbe library is not configured
    >>>> Validating the kerberos config file
    >>>> ---------- --- -------- ------ -----
    >>>> [PASS] : Initialization of kerberos passed
    >>>> Connecting to default Realm
    >>>> ---------- -- ------- -----
    >>>> [LOG] : The default realm is : DOMAIN.HOST.COM
    >>>> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
    >>>> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
    >>>> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
    >>>> [PASS] : Default Realm is issuing tickets
    >>>> Validating the keytab entry for the host service principal
    >>>> ---------- --- ------ ----- --- --- ---- ------- ---------
    >>>> [LOG] : Host unix_client, aka unix_client.domain.host.com.
    >>>> [LOG] : The default keytab name is : /etc/krb5.keytab
    >>>> [LOG] : Keytab file /etc/krb5.keytab is present
    >>>> [LOG] : Permissions on /etc/krb5.keytab are correct.
    >>>> Keytab entry
    >>>> Principal: host
    >>>> Host : unix_client.domain.host.com
    >>>> Realm : DOMAIN.HOST.COM
    >>>> Version : 23
    >>>> [LOG] : Pinging KDC to verify whether
    >>>> host/unix_client.domain.host....@DOMAIN.HOST.COM exists
    >>>> pamkrbval: KDC policy rejects request for this entry
    >>>> [WARNING] : The keytab entry for the host service principal
    >>>> host/unix_client.domain.host....@DOMAIN.HOST.COM is invalid
    >>>> [FAIL] : The keytab validation failed
    >>>> Validating the rc_host file for ownership
    >>>> -------- ------ ---- -------- ------ -----
    >>>> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
    >>>> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
    >>>> unix_client:/var/adm/syslog >ktutil -i
    >>>> ktutil: rkt /etc/krb5.keytab
    >>>> ktutil: list
    >>>> slot KVNO Principal
    >>>> ---- ---- ---------------------------------------------------------------------
    >>>> 1 23 host/unix_client.dom...@DOMAIN.HOST.COM
    >>>> ktutil:
    >>>> ktutil: unix_client:/var/adm/syslog >
    >>>> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
    >>>> host/unix_client.domain.host.com
    >>>> kinit(v5): KDC policy rejects request while getting initial credentials
    >>>> Thanks in advance for any help
    >>>> Regards
    >>>> Richard
    >>>> ________________________________________________
    >>>> Kerberos mailing list Kerbe...@mit.edu
    >>>> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>> ________________________________________________
    >>> Kerberos mailing list Kerbe...@mit.edu
    >>> https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -

    >> - Show quoted text -

    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

  5. Re: pamkrbval: KDC policy rejects request for this entry

    I can get and provide the AS_REQ and AS_REP details tomorrow...
    I have removed all the lifetime entries and tried with having enctypes
    of just RC4-HMAC, and also having RC4-HMAC, DES-CBC-CRC

    One thing about the time differences.. the HPUX host is on GMT, but
    the AD host is on BST... so the clocks are both 1 hour apart (exactly
    1 hour)..
    Unfortunately the UNIX hosts ave to remain on GMT year round.
    I assume the actual timezone shift is not an issue here ?

    kinit unix_client prompts for the password then returns with "KDC
    policy rejects request while getting initial credentials"


    On Wed, Aug 27, 2008 at 7:30 PM, Markus Moeller wrote:
    > Can you check that AD and your HP system are time synchronised ? Can you do
    > a kinit unix_client with the correct password ? Do you have the kvno binary
    > on the HP platform ? If so can you do a kvno
    > host/unix_client.domain.host.com and compare the number with the one in the
    > keytab ?
    >
    > Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?
    >
    > Regards
    > Markus
    >
    >
    > wrote in message
    > news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com...
    > I have tried everyones suggestions, but no joy - although I think I
    > can narrow down the problem somewhat...
    >
    > After changing the default_t*_enctypes to be "RC4-HMAC" (and also
    > removing the lines altogether), I still get the same error...
    >
    > In the Windows security log on the domain controller, I have a Failure
    > Audit with a result code from the request of 0xC which from some
    > searching at Microsoft suggests:
    > Requested start time is later than end time
    > or Workstation login restrictions..
    >
    > >From a packet capture using Wireshark, the AS-REQ packet there is an

    > entry "till: 1970-01-01 00:00:00 (UTC)"
    > It looks as though the requested lifetime of the packet here is in the
    > past...
    >
    > Any suggestions around that?
    >
    > Regards
    >
    > Richard
    >
    >
    >
    > On 26 Aug, 20:32, "Richard Curtis" wrote:
    >> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
    >>
    >> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
    >> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
    >> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
    >> with Microsoft Windows 2000 and 2003.
    >>
    >> I will try tomorrow when I am back in the office by setting the
    >> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
    >> configuration guide I am following has a sample krb5.conf and only
    >> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
    >> is no mention of RC4 in the whole document.
    >> I will try removing default_*_enctypes altogether aswell, and failing
    >> that, will have a go with DEC encryption only..
    >>
    >> If this turns out to be the solution, I will be over the moon... this
    >> has been dragging on for some time
    >>
    >> I will post back tomorrow with my results.. thanks for the replies so far
    >> guys.
    >>
    >> Regards
    >>
    >> Richard
    >>
    >>
    >>
    >> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller
    >> wrote:
    >> > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your
    >> > configuration
    >> > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based
    >> > on
    >> > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be
    >> > DES
    >> > only. Secondly did you change the password of the unix_client user ? If
    >> > not
    >> > please try to change the password once and re-extract the keytab.

    >>
    >> > Markus

    >>
    >> > "Richard Curtis" wrote in message
    >> >news:5745a7060808261135s26134f5bg495452c33920af1f@ mail.gmail.com...
    >> >> Hi,
    >> >> I am trying to get an HPUX 11i box to authenticate against our
    >> >> active directory (Windows 2003r2) domain with kerberos but I am
    >> >> getting nowhere fast.

    >>
    >> >> As per the docs I have, I have created a user account in active
    >> >> directory, then used "ktpass -princ
    >> >> host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
    >> >> -pass -out c:\krb5.keytab"
    >> >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    >> >> keep getting "KDC policy rejects request for this entry"

    >>
    >> >> I am guessing this is more of a Windows/AD config issue, but thougt
    >> >> someone here might have seen this?

    >>
    >> >> cat /etc/krb5.conf
    >> >> [libdefaults]
    >> >> default_realm = DOMAIN.HOST.COM
    >> >> default_tgs_enctypes = DES-CBC-CRC
    >> >> default_tkt_enctypes = DES-CBC-CRC
    >> >> ccache_type = 2
    >> >> ticket_liftetime = 24000
    >> >> #dns_lookup_kdc = true

    >>
    >> >> [realms]
    >> >> DOMAIN.HOST.COM = {
    >> >> kdc = 2003_dc.domain.host.com
    >> >> kpasswd_server = 2003_dc.domain.host.com:464
    >> >> }

    >>
    >> >> [domain_realm]
    >> >> domain.host.com = DOMAIN.HOST.COM
    >> >> .domain.host.com = DOMAIN.HOST.COM

    >>
    >> >> [logging]
    >> >> default = FILE:/var/adm/krb5lib.log
    >> >> kdc = FILE:/var/adm/krb5kdc.log
    >> >> admin_server = FILE:/var/adm/kKDCmind.log

    >>
    >> >> [appdefaults]
    >> >> pam = {
    >> >> debug = false
    >> >> ticket_lifetime = 36000
    >> >> renew_lifetime = 36000
    >> >> forwardable = true
    >> >> krb4_convert = false
    >> >> }

    >>
    >> >> unix_client:/var/adm/syslog >pamkrbval -v

    >>
    >> >> Validating the pam configuration files
    >> >> ---------- --- --- ------------- -----

    >>
    >> >> Validating the /etc/pam.conf file
    >> >> [LOG] : The /etc/pam.conf files permissions are fine
    >> >> [LOG] : Opened : /etc/pam.conf

    >>
    >> >> [PASS] : The validation of config file: /etc/pam.conf passed

    >>
    >> >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not
    >> >> done
    >> >> as libpam_updbe library is not configured

    >>
    >> >> Validating the kerberos config file
    >> >> ---------- --- -------- ------ -----
    >> >> [PASS] : Initialization of kerberos passed

    >>
    >> >> Connecting to default Realm
    >> >> ---------- -- ------- -----
    >> >> [LOG] : The default realm is : DOMAIN.HOST.COM
    >> >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
    >> >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
    >> >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
    >> >> [PASS] : Default Realm is issuing tickets

    >>
    >> >> Validating the keytab entry for the host service principal
    >> >> ---------- --- ------ ----- --- --- ---- ------- ---------
    >> >> [LOG] : Host unix_client, aka unix_client.domain.host.com.
    >> >> [LOG] : The default keytab name is : /etc/krb5.keytab
    >> >> [LOG] : Keytab file /etc/krb5.keytab is present
    >> >> [LOG] : Permissions on /etc/krb5.keytab are correct.
    >> >> Keytab entry
    >> >> Principal: host
    >> >> Host : unix_client.domain.host.com
    >> >> Realm : DOMAIN.HOST.COM
    >> >> Version : 23
    >> >> [LOG] : Pinging KDC to verify whether
    >> >> host/unix_client.domain.host....@DOMAIN.HOST.COM exists
    >> >> pamkrbval: KDC policy rejects request for this entry
    >> >> [WARNING] : The keytab entry for the host service principal
    >> >> host/unix_client.domain.host....@DOMAIN.HOST.COM is invalid
    >> >> [FAIL] : The keytab validation failed

    >>
    >> >> Validating the rc_host file for ownership
    >> >> -------- ------ ---- -------- ------ -----
    >> >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
    >> >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

    >>
    >> >> unix_client:/var/adm/syslog >ktutil -i
    >> >> ktutil: rkt /etc/krb5.keytab
    >> >> ktutil: list
    >> >> slot KVNO Principal
    >> >> ---- ---- ---------------------------------------------------------------------
    >> >> 1 23 host/unix_client.dom...@DOMAIN.HOST.COM
    >> >> ktutil:
    >> >> ktutil: unix_client:/var/adm/syslog >

    >>
    >> >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
    >> >> host/unix_client.domain.host.com
    >> >> kinit(v5): KDC policy rejects request while getting initial credentials

    >>
    >> >> Thanks in advance for any help

    >>
    >> >> Regards

    >>
    >> >> Richard
    >> >> ________________________________________________
    >> >> Kerberos mailing list Kerbe...@mit.edu
    >> >>https://mailman.mit.edu/mailman/listinfo/kerberos

    >>
    >> > ________________________________________________
    >> > Kerberos mailing list Kerbe...@mit.edu
    >> >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


+ Reply to Thread