Hi,

this should be simple enough and contains the explanation of what and
why is being done

http://techpubs.spinlocksolutions.com/dklar/ldap.html

http://techpubs.spinlocksolutions.co.../kerberos.html

M.


On Mon, 2008-10-27 at 12:06 +0100, Ronni Feldt wrote:
> On Mon, 2008-10-27 at 10:27 +0000, Martin Simovic wrote:
> > Hi,
> >
> > your DNS has to work properly, kerberos is unforgiving there. also, does
> > your user exist on the server you are trying to log to? you need a
> > separate mechanism (like LDAP) for user database, kerberos provides only
> > authentication (not authorization)
> >
> > M.
> >
> >

>
> No my user does not excist on the server. I found that clue my self, and
> tried to create the user ronni on the server and was then able to login
> via ssh using both the kerberos and local password.
>
> So I can't do what I want, unless I use LDAP or create every single user
> on all servers :-P
>
> I will take a look at OpenLDAP, anyone have any guides/howto on that
> subject?
>
> And thank you for your help! :-)
>
> - Ronni
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> > > I'm about to make some central authentication for our linux servers. I
> > > have followed these guides and some of it works, except ssh to the
> > > server.
> > >
> > > Guides:
> > > http://www.visolve.com:81/security/ssh_kerberos.php
> > > http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
> > >
> > > My test-environment is 3 computers (pc1, pc2 and pc3):
> > >
> > > PC2 (Debian Etch)
> > > Installed kerberos and configured realms in /etc/krb5.conf:
> > >
> > > [libdefaults]
> > > default_realm = ONE.COM
> > >
> > > [realms]
> > > ONE.COM = {
> > > kdc = kerberos.one.com
> > > admin_server = kerberos.one.com
> > > }
> > >
> > > Created principals:
> > > host/rofe (the pc which I want to login to via ssh, PC1)
> > > ronni (me)
> > >
> > > Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
> > >
> > > PC1 (Ubuntu 8.04):
> > > I have installed kerberos and openssh and configured realms
> > > in /etc/krb5.conf
> > >
> > > [libdefaults]
> > > default_realm = ONE.COM
> > >
> > > [realms]
> > > ONE.COM = {
> > > kdc = kerberos.one.com
> > > admin_server = kerberos.one.com
> > > }
> > >
> > >
> > > Edited persmissions for /etc/krb5.keytab to:
> > > chmod 600 /etc/krb5.keytab
> > > chown root:root /etc/krb5.keytab
> > >
> > > Configured and restarted ssh; /etc/ssh/sshd_config:
> > > # Kerberos options
> > > KerberosAuthentication yes
> > > #KerberosGetAFSToken no
> > > #KerberosOrLocalPasswd yes
> > > KerberosTicketCleanup yes
> > >
> > > Edited firewall-rules and /etc/hosts for communication.
> > >
> > > -----
> > > >From PC1 I can do a:
> > > kinit ronni
> > > And verify that I get a ticket with klist.
> > >
> > > But it fails when I try to ssh from PC3 to PC1.
> > > On PC2 I have tried to make a:
> > > tcpdump -i eth0 'udp port 88'
> > >
> > > And get this:
> > > 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos: v5
> > > 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976:
> > > 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos: v5
> > > 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652:
> > >
> > > So they can communicate, but the authentication fails:
> > > The /var/log/auth.log :
> > > PC1 (where I want to login)
> > > Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> > > 192.168.212.254
> > > Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> > > from 192.168.212.254 port 47098 ssh2
> > > Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> > > unknown
> > > Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3
> > > Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> > > from 192.168.212.254 port 47098 ssh2
> > >
> > > PC2 (the kerberos server)
> > > Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> > > 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER@ONE.COM for
> > > krbtgt/ONE.COM@ONE.COM, Client not found in Kerberos database
> > >
> > >
> > > I know my user (ronni) is in the Kerberos database, but still I get
> > > CLIENT_NOT_FOUND, so I may have missed something somewhere.
> > > What I want to achieve is a central user database (Kerberos), and be
> > > able to login on all servers without the need for creating every single
> > > user on every server.
> > >
> > >
> > > Help :-)
> > >
> > > - Ronni
> > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos

> >

>