Ubuntu Kerberos and Active Directory - Kerberos

This is a discussion on Ubuntu Kerberos and Active Directory - Kerberos ; Hi guys, I am trying to setup kerberos authorization using UBUNTU 6.06 DAPPER, and I think I must be missing something simple. I followed this easy-to-read HOWTO: http://developer.novell.com/wiki/ind...Authentication I stuck pretty close to what they said, with the minor exception ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Ubuntu Kerberos and Active Directory

  1. Ubuntu Kerberos and Active Directory


    Hi guys, I am trying to setup kerberos authorization using UBUNTU 6.06
    DAPPER, and I think I must be missing something simple.

    I followed this easy-to-read HOWTO:

    http://developer.novell.com/wiki/ind...Authentication

    I stuck pretty close to what they said, with the minor exception that I
    did not use LDAP for accounts, but instead used NIS. "getent passwd"
    returns our password database, so I know that is working.

    kinit and klist work properly. With kpasswd, I can change my Active
    Directory password from Linux, so I am guessing that means, my
    /etc/krb5.conf is correct.

    What does not work, is logging in with my Active Directory password. So
    I enabled debugging in PAM, and noticed the following errors when I try
    to log in:

    Sep 8 17:25:44 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh
    rohitm): entry:
    Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: verify_krb_v5_tgt():
    krb5_sname_to_principal(): Cannot determine realm for host
    Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh
    rohitm): exit: failure

    Now my realm is set in the krb5.conf file (I just kinit username, and it
    knows my default realm), so do I have to do something else for pam to
    understand it?

    Also is the krb5.keytab file necessary? It looks like I have to run
    commands against as administrator on active directory to generate this
    file and if I don't have to do this, I'd rather not!


    Rohit
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Ubuntu Kerberos and Active Directory

    Rohit Kumar Mehta writes:

    > What does not work, is logging in with my Active Directory password. So
    > I enabled debugging in PAM, and noticed the following errors when I try
    > to log in:


    > Sep 8 17:25:44 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh
    > rohitm): entry:
    > Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: verify_krb_v5_tgt():
    > krb5_sname_to_principal(): Cannot determine realm for host
    > Sep 8 17:25:45 nfsv4c sshd[5103]: pam_krb5: pam_sm_authenticate(ssh
    > rohitm): exit: failure


    > Now my realm is set in the krb5.conf file (I just kinit username, and it
    > knows my default realm), so do I have to do something else for pam to
    > understand it?


    It's attempting to verify the credentials against a host keytab and can't
    find the Kerberos realm for the host. You can probably fix this by adding
    an appropriate mapping to the [domain_realm] section of your krb5.conf.

    > Also is the krb5.keytab file necessary? It looks like I have to run
    > commands against as administrator on active directory to generate this
    > file and if I don't have to do this, I'd rather not!


    It's not necessary. The default behavior is to skip the check if you have
    no krb5.keytab file or if it contains no usable keys. However, the
    authentication will fail if it can't get even that far due to some other
    more basic problem, such as not being able to figure out the realm of the
    host.

    This code is a bit better in the pam-krb5 that's in current Debian
    unstable.

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: Ubuntu Kerberos and Active Directory


    > It's attempting to verify the credentials against a host keytab and can't
    > find the Kerberos realm for the host. You can probably fix this by adding
    > an appropriate mapping to the [domain_realm] section of your krb5.conf.
    >
    >

    The domain_realm section of my krb5.conf looks like this:
    [domain_realm]
    .ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
    ad.engr.uconn.edu = AD.ENGR.UCONN.EDU

    AD.ENGR.UCONN.EDU should be my kerberos realm.

    Perhaps the fact that I have a different domain (for NIS) in
    /etc/domainname creates a problem?

    > It's not necessary. The default behavior is to skip the check if you have
    > no krb5.keytab file or if it contains no usable keys. However, the
    > authentication will fail if it can't get even that far due to some other
    > more basic problem, such as not being able to figure out the realm of the
    > host.
    >

    That's good. I am not sure why it cannot figure out the realm though.
    In fact, if I just
    type "kinit username" it prompts me for the password for
    "username@AD.ENGR.UCONN.EDU"
    Perhaps it would be worthwhile to try identical steps in Debian Sarge?
    (I'm not really sure how stable Ubuntu is, but I like that all my
    hardware works in it with no fighting!)


    Rohit
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Ubuntu Kerberos and Active Directory

    Rohit Mehta writes:

    >> It's attempting to verify the credentials against a host keytab and can't
    >> find the Kerberos realm for the host. You can probably fix this by adding
    >> an appropriate mapping to the [domain_realm] section of your krb5.conf.


    > The domain_realm section of my krb5.conf looks like this:
    > [domain_realm]
    > .ad.engr.uconn.edu = AD.ENGR.UCONN.EDU
    > ad.engr.uconn.edu = AD.ENGR.UCONN.EDU


    > AD.ENGR.UCONN.EDU should be my kerberos realm.


    > Perhaps the fact that I have a different domain (for NIS) in
    > /etc/domainname creates a problem?


    No, that won't matter.

    What's failing is this call:

    krb5_sname_to_principal(context, NULL, *service, KRB5_NT_SRV_HST, &princ);

    with a service of "host". I don't understand why this call would be
    failing with that error message when kinit is otherwise finding the right
    realm.

    > Perhaps it would be worthwhile to try identical steps in Debian Sarge?
    > (I'm not really sure how stable Ubuntu is, but I like that all my
    > hardware works in it with no fighting!)


    I doubt you'll get any different behavior in Debian sarge. In Debian
    etch, this function isn't used any more; instead, the native Kerberos
    library function that does the same thing is called.

    --
    Russ Allbery (rra@stanford.edu)

  5. Re: Ubuntu Kerberos and Active Directory


    Hey guys, I did an "apt-get install libpam-krb5" which removed
    libpam-heimdal, and the problem is now gone. (I reproduced the problem
    in both Debian-etch and Ubuntu-dapper). I am guessing there
    is some problem with the heimdal libs. Now I can ssh to the machine
    using Active Directory credentials. However, even though klist shows
    my ticket, I cannot do passwordless authentication.

    I am guessing that setup is a little more involved and requires a keytab
    and adding records to the Active Directory. Does anyone know if this
    is correct?

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Ubuntu Kerberos and Active Directory



    Rohit Kumar Mehta wrote:

    > Hey guys, I did an "apt-get install libpam-krb5" which removed
    > libpam-heimdal, and the problem is now gone. (I reproduced the problem
    > in both Debian-etch and Ubuntu-dapper). I am guessing there
    > is some problem with the heimdal libs.


    > Now I can ssh to the machine using Active Directory credentials.


    What do you mean by this? Send you user/password from ssh to sshd,
    and use keyboard-interactive? Or do you mean use gssapi-with-mic?

    > However, even though klist shows my ticket,


    On which machine, the ssh client machine or the sshd server?

    I cannot do passwordless authentication.

    What do you mean by this?

    >
    > I am guessing that setup is a little more involved and requires a keytab
    > and adding records to the Active Directory.


    Yes you would need these for gssapi-with-mic to work.
    The simple method is:
    http://www.microsoft.com/technet/pro.../kerbstep.mspx


    Does anyone know if this
    > is correct?
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Ubuntu Kerberos and Active Directory

    Rohit Kumar Mehta writes:

    > Hey guys, I did an "apt-get install libpam-krb5" which removed
    > libpam-heimdal, and the problem is now gone. (I reproduced the problem
    > in both Debian-etch and Ubuntu-dapper). I am guessing there is some
    > problem with the heimdal libs.


    Yeah, that means that there's something that was keeping Heimdal from
    figuring out your realm. I'm not sure what that is. I'm unfortunately
    not particularly familiar with Heimdal. I'm happy to fix the problem if
    there's something that I can do in the PAM module, although it sounds like
    it may have been some additional configuration that Heimdal was expecting
    that MIT doesn't need. (?)

    The call was failing inside the Kerberos library saying that the library
    was unable to determine the default realm. There's some possibility that
    I broke something about the realm detection logic in 2.3, but it would
    surprise me, particularly that you were seeing the same problem with the
    old 1.0 module.

    > Now I can ssh to the machine using Active Directory credentials.
    > However, even though klist shows my ticket, I cannot do passwordless
    > authentication.


    > I am guessing that setup is a little more involved and requires a keytab
    > and adding records to the Active Directory. Does anyone know if this is
    > correct?


    In order to use an existing Kerberos ticket to authenticate to a system,
    that system has to have a keytab, correct.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread