pam_krb5 can't locate my KDC - Kerberos

This is a discussion on pam_krb5 can't locate my KDC - Kerberos ; I was just trying pam_krb5 for kicks but it can't find my KDC. My /etc/krb5.conf is just: [realms] WIN.NET = { kdc = ts0.win.net } [domain_realm] .foo.net = WIN.NET foo.net = WIN.NET I would think this should be sufficient no? ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: pam_krb5 can't locate my KDC

  1. pam_krb5 can't locate my KDC

    I was just trying pam_krb5 for kicks but it can't find my KDC. My
    /etc/krb5.conf is just:

    [realms]
    WIN.NET = {
    kdc = ts0.win.net
    }

    [domain_realm]
    .foo.net = WIN.NET
    foo.net = WIN.NET

    I would think this should be sufficient no?

    >From looking at a capture I can see it trying a TXT _kerberos.foo.net

    lookup but even if I add a record for this with "WIN.NET" I see no
    communication with the KDC.

    Obviously I don't know what I'm doing. Can someone enlighten me?

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: pam_krb5 can't locate my KDC

    Hi Michael,
    From what I know about Kerberos and the configurations for the same, ideally there is one more section which I feel should be included in the krb5.conf file. It is called the libdefaults section where we can specify the default values for some of the parameters like the domain name, ticket lifetime etc. The section looks something like this:

    [libdefaults]
    ticket_lifetime = 24000
    default_realm = MYDOMAIN.COM

    So you need to have 3 sections in your krb5.conf - libdefaults, realms and domain_realms.

    Normally they do provide a template for the Kerberos config file with the installation for every OS.
    E.g. for AIX the default file looks as :

    # krb5.conf template
    # In order to complete this configuration file
    # you will need to replace the ____ placeholders
    # with appropriate values for your network.
    #
    [libdefaults]
    default_realm = ___default_realm___
    [realms]
    ___default_realm___ = {
    kdc = ___master_kdc___
    ___slave_kdcs___
    admin_server = ___master_kdc___
    }
    [domain_realm]
    ___domain_mapping___
    [logging]
    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log
    kdc_rotate = {
    # How often to rotate kdc.log. Logs will get rotated no more
    # often than the period, and less often if the KDC is not used
    # frequently.
    period = 1d
    # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
    versions = 10
    }
    [appdefaults]
    kinit = {
    renewable = true
    forwardable= true
    }

    This is the same for all the UNIX flavours.
    Can you try adding the libdefaults section as well in the krb5.conf file?

    All the best,
    Regards,
    Sayali

    Michael B Allen wrote:
    I was just trying pam_krb5 for kicks but it can't find my KDC. My
    /etc/krb5.conf is just:

    [realms]
    WIN.NET = {
    kdc = ts0.win.net
    }

    [domain_realm]
    ..foo.net = WIN.NET
    foo.net = WIN.NET

    I would think this should be sufficient no?

    >From looking at a capture I can see it trying a TXT _kerberos.foo.net

    lookup but even if I add a record for this with "WIN.NET" I see no
    communication with the KDC.

    Obviously I don't know what I'm doing. Can someone enlighten me?

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ---------------------------------
    The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: pam_krb5 can't locate my KDC

    On Mon, 21 Aug 2006 05:02:06 +0100 (BST)
    sayali k wrote:

    > Hi Michael,
    > From what I know about Kerberos and the configurations for the same, ideally there is one more section which I feel should be included in the krb5.conf file. It is called the libdefaults section where we can specify the default values for some of the parameters like the domain name, ticket lifetime etc. The section looks something like this:
    >
    > [libdefaults]
    > default_realm = MYDOMAIN.COM


    > Can you try adding the libdefaults section as well in the krb5.conf file?
    >


    With a libdefaults section I no longer see any _kerberos.foo.net TXT
    lookups so the change definitely had an effect. Unfortunately the capture
    also shows it still doesn't attempt to communicate with the KDC at all.

    That was using pam.d/sshd. I tried telnet with a pam.d/telnet but for
    some reason the file is ignored. Are xinetd services handled special? Does
    a localhost logon bypass pam?

    If I add [appdefaults] pam = { debug = true }, add *.debug to
    /etc/syslog.conf and restart syslog I should see some debugging output
    but I get absolutely nothing.

    And I thought I was good at Linux stuff.

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: pam_krb5 can't locate my KDC



    On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen
    wrote:

    > I was just trying pam_krb5 for kicks but it can't find my KDC. My
    > /etc/krb5.conf is just:


    It helps a lot if you quote actual error messages, instead of paraphrasing
    them. Similarly, it's going to be a lot easier to track down the problem
    if you send your real krb5.conf, instead of trying to obfuscate the names.
    Perhaps you could also tell us the name of the machine you're trying this
    on.

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: pam_krb5 can't locate my KDC

    On Mon, 21 Aug 2006 10:39:13 -0400
    Jeffrey Hutzelman wrote:

    >
    >
    > On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen
    > wrote:
    >
    > > I was just trying pam_krb5 for kicks but it can't find my KDC. My
    > > /etc/krb5.conf is just:

    >
    > It helps a lot if you quote actual error messages, instead of paraphrasing
    > them. Similarly, it's going to be a lot easier to track down the problem
    > if you send your real krb5.conf, instead of trying to obfuscate the names.
    > Perhaps you could also tell us the name of the machine you're trying this
    > on.


    [root@quark pam.d]# cat sshd
    #%PAM-1.0
    auth requisite pam_krb5.so
    account required pam_stack.so service=system-auth
    password required pam_stack.so service=system-auth
    session required pam_stack.so service=system-auth

    [root@quark etc]# cat krb5.conf
    [libdefaults]
    default_realm = WIN.NET

    [appdefaults]
    pam = {
    debug = true
    }

    [realms]
    WIN.NET = {
    kdc = ts0.win.net
    }

    [domain_realm]
    .foo.net = WIN.NET
    foo.net = WIN.NET

    [miallen@quark src]$ ssh user5@quark.foo.net
    user5@quark.foo.net's password:
    Permission denied, please try again.

    There is no user5 on the local system. My expectation is that pam_krb5.so
    should use the supplied password to get a TGT thereby authenticating me
    (I'm assuming not having a shell or home directory is not interfering
    with this step).

    No names have been obfuscated. These files are exactly as they appear
    above.

    Looking at Ethereal shows only the DNS lookup for quark.foo.net. There
    is no KDC communication.

    Interestingly if I have the same auth line in /etc/pam.d/hddtemp and
    run that program I actually get the expected KDC communication but of
    course I don't have a principal for 'root' and therefore it fails with
    KRB5KDC_ERR_S_UNKNOWN_PRINCIPAL.

    Perhaps my expectations are misguided? What does pam_krb5 do exactly?

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: pam_krb5 can't locate my KDC



    On Monday, August 21, 2006 12:05:24 PM -0400 Michael B Allen
    wrote:

    > [miallen@quark src]$ ssh user5@quark.foo.net
    > user5@quark.foo.net's password:
    > Permission denied, please try again.
    >
    > There is no user5 on the local system. My expectation is that pam_krb5.so
    > should use the supplied password to get a TGT thereby authenticating me
    > (I'm assuming not having a shell or home directory is not interfering
    > with this step).


    If the user doesn't exist in /etc/passwd or whatever other source you're
    using for account information, then you're never going to be able to log
    in. Depending on the PAM module in question, there might not be any
    communication with the KDC before that happens.

    Now, if this happens with a user that does exist, that's a different issue.
    In that case, the interesting messages will be the ones in the log, rather
    than what the user gets to see.


    > Perhaps my expectations are misguided? What does pam_krb5 do exactly?


    There are several PAM modules that call themselves pam_krb5, so a precise
    answer to that question is not possible without more information. But, it
    does what any PAM module does, which is to handle authentication and make
    an authorization decision. In your first example, the authorization
    decision fails - you can't log in as user5 because there is no such user.
    In the second example, the authentication step fails, because the principal
    doesn't exist in the Kerberos database.

    -- Jeff
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread