help with Active Directory Kerberos authentication - Kerberos

This is a discussion on help with Active Directory Kerberos authentication - Kerberos ; Hi guys, I am still having trouble with some authentication issues using the AD kerberos server. I can ssh to my Debian/Etch machine using Active Directory credentials, but I cannot login with a Kerberos ticket. kinit works and klist shows ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: help with Active Directory Kerberos authentication

  1. help with Active Directory Kerberos authentication


    Hi guys, I am still having trouble with some authentication issues using
    the AD kerberos server. I can ssh to my Debian/Etch machine using
    Active Directory credentials, but I cannot login with a Kerberos ticket.
    kinit works and klist shows the following:

    nfsv4etch:~# kinit rohitm
    Password for rohitm@AD.ENGR.UCONN.EDU:
    nfsv4etch:~# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: rohitm@AD.ENGR.UCONN.EDU

    Valid starting Expires Service principal
    10/06/06 17:48:12 10/07/06 03:49:59
    krbtgt/AD.ENGR.UCONN.EDU@AD.ENGR.UCONN.EDU
    renew until 10/07/06 17:48:12


    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached

    Kerberized telnet does not seem to work.

    nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
    Trying 127.0.1.1...
    Connected to nfsv4etch (127.0.1.1).
    Escape character is '^]'.
    telnetd: Authorization failed.
    Connection closed by foreign host.

    Also if I type ssh rohitm@nfsv4etch, it prompts me for my password.
    I was hoping it would just let me in with my ticket.
    I have set the following options in /etc/ssh/sshd_config

    KerberosAuthentication yes
    #KerberosGetAFSToken yes
    KerberosOrLocalPasswd yes
    KerberosTicketCleanup yes

    and /home/rohitm/.k5login contains the user "rohitm@AD.ENGR.UCONN.EDU"

    The following packages are installed:

    ii krb5-clients 1.4.4-1 Secure replacements
    for ftp, telnet and rsh
    ii krb5-config 1.10 Configuration files
    for Kerberos Version 5
    ii krb5-rsh-server 1.4.4-1 Secure replacements
    for rshd and rlogind usi
    ii krb5-telnetd 1.4.4-1 Secure telnet server
    supporting MIT Kerberos
    ii krb5-user 1.4.4-1 Basic programs to
    authenticate using MIT Ker
    ii libkrb5-17-heimdal 0.7.2.dfsg.1-4 Libraries for Heimdal
    Kerberos
    ii libkrb53 1.4.4-1 MIT Kerberos runtime
    libraries
    ii libpam-krb5 2.0-1 PAM module for MIT
    Kerberos


    I also created a user named "nfsv4etch" in the Active Directory and
    did the following to generate an /etc/krb5.keytab file.

    Z:\krb>ktpass -princ host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    -mapuser nfsv4etch -crypto DES-CBC-MD5 -pass password -ptype
    KRB5_NT_PRINCIPAL -out unix
    machine.keytab2
    Targeting domain controller: fozzie.ad.engr.uconn.edu
    Using legacy password setting method
    Successfully mapped host/nfsv4etch.engr.uconn.edu to nfsv4etch.
    Key created.
    Output keytab to unixmachine.keytab2:
    Keytab version: 0x502
    keysize 74 host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU ptype 1
    (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8
    (0xceae025dfe455d49)

    Can anyone think of what I am missing? I was hoping this would be easy!

    Thanks in advance for any help.

    Rohit
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: help with Active Directory Kerberos authentication

    Rohit Kumar Mehta writes:

    > Kerberized telnet does not seem to work.
    >
    > nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
    > Trying 127.0.1.1...
    > Connected to nfsv4etch (127.0.1.1).
    > Escape character is '^]'.
    > telnetd: Authorization failed.
    > Connection closed by foreign host.


    After you've run this command, do you have host tickets in your ticket
    cache for the system you're logging on to?

    > Also if I type ssh rohitm@nfsv4etch, it prompts me for my password.
    > I was hoping it would just let me in with my ticket.
    > I have set the following options in /etc/ssh/sshd_config


    > KerberosAuthentication yes
    > #KerberosGetAFSToken yes
    > KerberosOrLocalPasswd yes
    > KerberosTicketCleanup yes


    This just tells OpenSSH to try verifying passwords with Kerberos. These
    options don't control logging on with existing Kerberos credentials. For
    that, you want:

    GSSAPIAuthentication yes

    and the equivalent on the client. Since you're using etch, install
    openssh-server (rather than the mostly obsolete ssh-krb5 package), but
    note that it doesn't enable GSSAPI by default and you have to change its
    configuration and restart the server after installing it. Similarly,
    you'll need to change your client configuration to enable GSSAPI
    authentication.

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: help with Active Directory Kerberos authentication

    Russ Allbery wrote:
    > Rohit Kumar Mehta writes:
    >
    >> Kerberized telnet does not seem to work.
    >>
    >> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
    >> Trying 127.0.1.1...
    >> Connected to nfsv4etch (127.0.1.1).


    127.0.1.1 ? Uhh, that doesn't look right. Edit the /ets/hosts file on
    the machine you are logging into and put the actual IP address on the
    line with the FQDN of the machine. You want something like:

    [cclausen@sleepless:/]% cat /etc/hosts
    127.0.0.1 localhost.localdomain localhost
    128.174.251.7 sleepless.acm.uiuc.edu sleepless
    128.174.251.6 clortho.acm.uiuc.edu clortho
    128.174.251.37 enzo.acm.uiuc.edu enzo

    < --
    Christopher D. Clausen
    ACM@UIUC SysAdmin


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: help with Active Directory Kerberos authentication

    Russ Allbery wrote:

    > You aren't seeing host tickets. So it looks to me like the problem is
    > that you can't obtain host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    > tickets from AD.
    >
    > You should be able to test this directly by running:
    >
    > kinit -S host/nfsv4etch.engr.uconn.edu rohitm@AD.ENGR.UCONN.EDU
    >
    > to obtain host credentials rather than the normal krbtgt credentials. My
    > guess is that you'll find that the host crendentials are not in AD for
    > some reason.
    >
    > This will indeed affect both telnet and ssh.
    >


    I tried that command and it seems to work:
    nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu rohitm@AD.ENGR.UCONN.EDU
    Password for rohitm@AD.ENGR.UCONN.EDU:
    nfsv4etch:~# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: rohitm@AD.ENGR.UCONN.EDU

    Valid starting Expires Service principal
    10/10/06 17:19:07 10/11/06 03:19:12
    host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    renew until 10/11/06 17:19:07


    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached

    However even with the host credentials, I can't get in:

    nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
    Trying 192.168.1.137...
    Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
    Escape character is '^]'.
    telnetd: Authorization failed.
    Connection closed by foreign host.
    nfsv4etch:~# ssh rohitm@nfsv4etch.engr.uconn.edu
    rohitm@nfsv4etch.engr.uconn.edu's password:
    Permission denied, please try again.
    rohitm@nfsv4etch.engr.uconn.edu's password:
    Permission denied, please try again.
    rohitm@nfsv4etch.engr.uconn.edu's password:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

    I am pretty sure I put the host creds in the AD and generated the keytab
    for use on the Linux client. Is there a way to check if my keytab is
    correct?
    nfsv4etch:~# strings /etc/krb5.keytab
    AD.ENGR.UCONN.EDU
    host
    nfsv4etch.engr.uconn.edu

    Also could it be a problem that I am behind a NAT server.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: help with Active Directory Kerberos authentication

    Rohit Kumar Mehta writes:

    > I tried that command and it seems to work:


    > nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu rohitm@AD.ENGR.UCONN.EDU
    > Password for rohitm@AD.ENGR.UCONN.EDU:
    > nfsv4etch:~# klist
    > Ticket cache: FILE:/tmp/krb5cc_0
    > Default principal: rohitm@AD.ENGR.UCONN.EDU


    > Valid starting Expires Service principal
    > 10/10/06 17:19:07 10/11/06 03:19:12
    > host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    > renew until 10/11/06 17:19:07



    > Kerberos 4 ticket cache: /tmp/tkt0
    > klist: You have no tickets cached


    Hm, it's very strange that telnet wasn't able to obtain the same
    credential itself when it tried.

    > However even with the host credentials, I can't get in:


    > nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
    > Trying 192.168.1.137...
    > Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
    > Escape character is '^]'.
    > telnetd: Authorization failed.
    > Connection closed by foreign host.
    > nfsv4etch:~# ssh rohitm@nfsv4etch.engr.uconn.edu
    > rohitm@nfsv4etch.engr.uconn.edu's password:
    > Permission denied, please try again.
    > rohitm@nfsv4etch.engr.uconn.edu's password:
    > Permission denied, please try again.
    > rohitm@nfsv4etch.engr.uconn.edu's password:
    > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


    I think for ssh you're going to need to run the server with sshd -ddd and
    see what it says about the GSSAPI exchange to try to figure out why things
    are going wrong... although if the client isn't even obtaining a host
    principal, I'm not sure what would be going wrong.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: help with Active Directory Kerberos authentication

    Thanks Russ, I think you might have found something.
    I did the command you suggested ssh -ddd 2>/tmp/err.txt
    and found an interesting message in the long file it created.

    debug1: Miscellaneous failure
    No principal in keytab matches desired name.

    My krb5.keytab looks like this:
    nfsv4etch:~# ktutil
    ktutil: rkt /etc/krb5.keytab
    ktutil: l
    slot KVNO Principal
    ---- ----
    ---------------------------------------------------------------------
    1 4 host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU

    Does that look like it's generated properly?

    Rohit

    Russ Allbery wrote:
    > Rohit Kumar Mehta writes:
    >
    >
    >>I tried that command and it seems to work:

    >
    >
    >>nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu rohitm@AD.ENGR.UCONN.EDU
    >>Password for rohitm@AD.ENGR.UCONN.EDU:
    >>nfsv4etch:~# klist
    >>Ticket cache: FILE:/tmp/krb5cc_0
    >>Default principal: rohitm@AD.ENGR.UCONN.EDU

    >
    >
    >>Valid starting Expires Service principal
    >>10/10/06 17:19:07 10/11/06 03:19:12
    >>host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    >> renew until 10/11/06 17:19:07

    >
    >
    >
    >>Kerberos 4 ticket cache: /tmp/tkt0
    >>klist: You have no tickets cached

    >
    >
    > Hm, it's very strange that telnet wasn't able to obtain the same
    > credential itself when it tried.
    >
    >
    >>However even with the host credentials, I can't get in:

    >
    >
    >>nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch.engr.uconn.edu
    >>Trying 192.168.1.137...
    >>Connected to nfsv4etch.engr.uconn.edu (192.168.1.137).
    >>Escape character is '^]'.
    >>telnetd: Authorization failed.
    >>Connection closed by foreign host.
    >>nfsv4etch:~# ssh rohitm@nfsv4etch.engr.uconn.edu
    >>rohitm@nfsv4etch.engr.uconn.edu's password:
    >>Permission denied, please try again.
    >>rohitm@nfsv4etch.engr.uconn.edu's password:
    >>Permission denied, please try again.
    >>rohitm@nfsv4etch.engr.uconn.edu's password:
    >>Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

    >
    >
    > I think for ssh you're going to need to run the server with sshd -ddd and
    > see what it says about the GSSAPI exchange to try to figure out why things
    > are going wrong... although if the client isn't even obtaining a host
    > principal, I'm not sure what would be going wrong.
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: help with Active Directory Kerberos authentication

    Rohit Kumar Mehta writes:

    > Thanks Russ, I think you might have found something.
    > I did the command you suggested ssh -ddd 2>/tmp/err.txt
    > and found an interesting message in the long file it created.


    > debug1: Miscellaneous failure
    > No principal in keytab matches desired name.


    > My krb5.keytab looks like this:
    > nfsv4etch:~# ktutil
    > ktutil: rkt /etc/krb5.keytab
    > ktutil: l
    > slot KVNO Principal
    > ---- ----
    > ---------------------------------------------------------------------
    > 1 4 host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU


    > Does that look like it's generated properly?


    I've run into this problem before (not with AD, but with MIT Kerberos) and
    haven't been able to figure out what was causing it. My theory was some
    sort of realm configuration mismatch, but I'm not at all sure.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: help with Active Directory Kerberos authentication

    Russ Allbery wrote:
    > Rohit Kumar Mehta writes:
    >> debug1: Miscellaneous failure
    >> No principal in keytab matches desired name.
    >>
    >> My krb5.keytab looks like this:
    >> nfsv4etch:~# ktutil
    >> ktutil: rkt /etc/krb5.keytab
    >> ktutil: l
    >> slot KVNO Principal
    >> ---- ----
    >> ---------------------------------------------------------------------
    >> 1 4 host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    >>
    >> Does that look like it's generated properly?

    >
    > I've run into this problem before (not with AD, but with MIT
    > Kerberos) and haven't been able to figure out what was causing it.
    > My theory was some sort of realm configuration mismatch, but I'm not
    > at all sure.


    What does hostname (or hostname -f) return on your computer?

    And then do an IP lookup on that. If it resolves to a 127.*.*.* address
    its not likely to work.

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: help with Active Directory Kerberos authentication

    This is what you said Rohit Kumar Mehta
    > Thanks Russ, I think you might have found something.
    > I did the command you suggested ssh -ddd 2>/tmp/err.txt
    > and found an interesting message in the long file it created.
    >
    > debug1: Miscellaneous failure
    > No principal in keytab matches desired name.
    >
    > My krb5.keytab looks like this:
    > nfsv4etch:~# ktutil
    > ktutil: rkt /etc/krb5.keytab
    > ktutil: l
    > slot KVNO Principal
    > ---- ----
    > ---------------------------------------------------------------------
    > 1 4 host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    >
    > Does that look like it's generated properly?
    >
    > Rohit
    >
    > Russ Allbery wrote:
    >> Rohit Kumar Mehta writes:
    >>
    >>
    >>>I tried that command and it seems to work:

    >>
    >>
    >>>nfsv4etch:~# kinit -S host/nfsv4etch.engr.uconn.edu
    >>> rohitm@AD.ENGR.UCONN.EDU
    >>>Password for rohitm@AD.ENGR.UCONN.EDU:
    >>>nfsv4etch:~# klist
    >>>Ticket cache: FILE:/tmp/krb5cc_0
    >>>Default principal: rohitm@AD.ENGR.UCONN.EDU

    >>
    >>
    >>>Valid starting Expires Service principal
    >>>10/10/06 17:19:07 10/11/06 03:19:12
    >>>host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    >>> renew until 10/11/06 17:19:07

    >>
    >>
    >>
    >>>Kerberos 4 ticket cache: /tmp/tkt0
    >>>klist: You have no tickets cached

    >>


    Here are some other places where I have discussed this topic:

    http://www.linuxquestions.org/questi...=371848&page=2
    http://www.winlinanswers.com/communi...topic.php?t=37
    http://blog.scottlowe.org/2006/04/27...erver-2003-r2/
    http://blog.scottlowe.org/2006/08/08...-r2-revisited/

    Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
    keytab files used with secure connections. You can get a fix from MS.
    You can find the link to MS article which discusses the bug from the links
    above.

    Although I have a "working" solution, which can be found from the above
    articles, I would like hear what your final configuration looks like.
    There are still several things I do not like with my configuration and
    would like to improve on the configuration so that it is more then just
    functional.

    Thanks.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: help with Active Directory Kerberos authentication

    hostname returns nfsv4etch

    pinging nfsv4etch pings 192.168.1.137. I am using VMWARE and NAT,
    but am no longer using 127.0.0.1

    Christopher D. Clausen wrote:
    > Russ Allbery wrote:
    >
    >>Rohit Kumar Mehta writes:
    >>
    >>>debug1: Miscellaneous failure
    >>>No principal in keytab matches desired name.
    >>>
    >>>My krb5.keytab looks like this:
    >>>nfsv4etch:~# ktutil
    >>>ktutil: rkt /etc/krb5.keytab
    >>>ktutil: l
    >>>slot KVNO Principal
    >>>---- ----
    >>>---------------------------------------------------------------------
    >>>1 4 host/nfsv4etch.engr.uconn.edu@AD.ENGR.UCONN.EDU
    >>>
    >>>Does that look like it's generated properly?

    >>
    >>I've run into this problem before (not with AD, but with MIT
    >>Kerberos) and haven't been able to figure out what was causing it.
    >>My theory was some sort of realm configuration mismatch, but I'm not
    >>at all sure.

    >
    >
    > What does hostname (or hostname -f) return on your computer?
    >
    > And then do an IP lookup on that. If it resolves to a 127.*.*.* address
    > its not likely to work.
    >
    > < >
    >
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: help with Active Directory Kerberos authentication

    Scott Ruckh wrote:

    > Here are some other places where I have discussed this topic:
    >
    > http://www.linuxquestions.org/questi...=371848&page=2
    > http://www.winlinanswers.com/communi...topic.php?t=37
    > http://blog.scottlowe.org/2006/04/27...erver-2003-r2/
    > http://blog.scottlowe.org/2006/08/08...-r2-revisited/
    >
    > Note that there is a bug in Windows 2003 SP1 ktpass utility when creating
    > keytab files used with secure connections. You can get a fix from MS.
    > You can find the link to MS article which discusses the bug from the links
    > above.
    >
    > Although I have a "working" solution, which can be found from the above
    > articles, I would like hear what your final configuration looks like.
    > There are still several things I do not like with my configuration and
    > would like to improve on the configuration so that it is more then just
    > functional.
    >
    > Thanks.
    >


    Hi thanks Scott, I had actually used one of the howto's you mentioned:

    http://blog.scottlowe.org/2006/04/27...erver-2003-r2/

    However I am not doing anything with SFU, we have an NIS server (All the
    accounts are in both NIS and AD).

    I do not think we have a problem with ktpass. (was this the hotfix you
    were referring to? http://support.microsoft.com/kb/843071)
    On a whim, I installed Fedora Core 5 on a virtual machine, and redid
    everything, using the ktpass command described in your first howto:
    "ktpass -princ host/fc5.engr.uconn.edu@AD.ENGR.UCONN.EDU -mapuser
    ENGR_STUDENT\fc5 -crypto DES-CBC-MD5 -pass mypassword -ptype
    KRB5_NT_PRINCIPAL -out keytab.fc5 "

    After installing this keytab file (and authconfig) kerberized telnet
    works!!!

    After kinit'ing I can do a "telnet -k AD.ENGR.UCONN.EDU -l rohitm
    fc5.engr.uconn.edu" and it lets me log in. I do not have to type my
    password a second time.

    GSSAPI authentication still does not work with SSH, and I have no idea
    why kerberized telnet does not seem to work in
    Debian(etch)/Ubuntu(dapper) and GSSAPI ssh authentication does not seem
    to work for me on any distro.



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread