Kerberizing a unix based application - Kerberos

This is a discussion on Kerberizing a unix based application - Kerberos ; Hi, I have joined a linux machine (Red Hat Linux Enterprise Server) to Windows 2003 Server Domain Controller. I have also configured Kerberos and TGT is received properly (verified using KLIST) & even telnet is working properly. Please answer my ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kerberizing a unix based application

  1. Kerberizing a unix based application

    Hi,

    I have joined a linux machine (Red Hat Linux Enterprise Server) to Windows
    2003 Server Domain Controller. I have also configured Kerberos and TGT is
    received properly (verified using KLIST) & even telnet is working properly.

    Please answer my 3 questions:
    1. Assume i have setup Kerberos successfully; if I log-in from my Windows
    desktop and try to do telnet to linux machine, then does it mean that i need
    NOT enter login name & password; I will get the successful telnet prompt.

    2. Here, do i need to ensure that login user name has to be SAME in both
    Linux & 2003 Server AD? Do i need to maintain some kind of mapping?

    3.If the above assumption (i.e. no login name, password required) is
    correct, then please let me know from where should I really begin with. i m
    kinda lost with all the information available on the net.
    (i have already configured Kerberos-SSO for a Desktop application using SSPI
    protocol)

    Thanks in advance.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberizing a unix based application

    >>>>> "ZJ" == "Ziangi Jones" writes:

    ZJ> Hi, I have joined a linux machine (Red Hat Linux Enterprise
    ZJ> Server) to Windows 2003 Server Domain Controller. I have also
    ZJ> configured Kerberos and TGT is received properly (verified using
    ZJ> KLIST) & even telnet is working properly.

    ZJ> Please answer my 3 questions: 1. Assume i have setup Kerberos
    ZJ> successfully; if I log-in from my Windows desktop and try to do
    ZJ> telnet to linux machine, then does it mean that i need NOT enter
    ZJ> login name & password; I will get the successful telnet prompt.

    If you have a kerberized telnet client that uses the Windows Kerberos API
    (SSPI).

    ZJ> 2. Here, do i need to ensure that login user name has to be SAME
    ZJ> in both Linux & 2003 Server AD? Do i need to maintain some kind of
    ZJ> mapping?

    If they are not the same, just use telnet -l username & authorize the
    Windows principal in the target RHLE account with ~/.k5login.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: Kerberizing a unix based application

    Hi Richard,

    Initially, i thought that i had successfully configured kerberos
    successfully, but i was wrong
    I got the tgt when i entered 2003 username & password on linux machine.

    then i tried to do a telnet to linux machine. i entered a linux username &
    password & got the error: "Client not found in *Kerberos database* while
    getting initial *credentials..*"

    here's my /etc/krb5.conf file:
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = KERDOM.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true

    [realms]
    KERDOM.COM = {
    kdc = KERDOMGDC01.KERDOM.COM
    default_domain = KERDOM.COM
    admin_server = KERDOMGDC01.KERDOM.COM
    }

    [domain_realm]
    .kerdom.com = KERDOM.COM
    kerdom.com = KERDOM.COM

    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false }
    ---------

    /var/kerberos/krb5kdc/kdc.conf file:


    [kdcdefaults]
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    database_name = /var/kerberos/krb5kdc/principal
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    key_stash_file = /var/kerberos/krb5kdc/.k5.KERDOM.COM
    v4_mode = nopreauth

    [realms]
    KERDOM.COM = {
    master_key_type = des-cbc-crc
    supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm
    arcfour-hmacnlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal
    des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }

    i also tried /usr/keberos/sbin/kdb5_util create -s .

    It gave me an error: "/var/kerberos/krb5kdc/principal appears to already
    exist."

    Please let me know what i am missing.

    (KERDOMGDC01 - 2003 Domain controller KERDOM.COM - Domain name or realm)

    Thank you.

    On 23 Mar 2006 14:04:49 -0500, Richard E. Silverman wrote:
    >
    > >>>>> "ZJ" == "Ziangi Jones" writes:

    >
    > ZJ> Hi, I have joined a linux machine (Red Hat Linux Enterprise
    > ZJ> Server) to Windows 2003 Server Domain Controller. I have also
    > ZJ> configured Kerberos and TGT is received properly (verified using
    > ZJ> KLIST) & even telnet is working properly.
    >
    > ZJ> Please answer my 3 questions: 1. Assume i have setup Kerberos
    > ZJ> successfully; if I log-in from my Windows desktop and try to do
    > ZJ> telnet to linux machine, then does it mean that i need NOT enter
    > ZJ> login name & password; I will get the successful telnet prompt.
    >
    > If you have a kerberized telnet client that uses the Windows Kerberos API
    > (SSPI).
    >
    > ZJ> 2. Here, do i need to ensure that login user name has to be SAME
    > ZJ> in both Linux & 2003 Server AD? Do i need to maintain some kind of
    > ZJ> mapping?
    >
    > If they are not the same, just use telnet -l username & authorize the
    > Windows principal in the target RHLE account with ~/.k5login.
    >
    > --
    > Richard Silverman
    > res@qoxp.net
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread