Problem with Kerberos Service - Kerberos

This is a discussion on Problem with Kerberos Service - Kerberos ; Hello, I'm italian user and my name is Luca. I'm working with Kerberos on my Ubuntu 6.10. I have installed the krb5 packages and configurated the kdc.conf and krb5.conf files. The files are configurate to test the authentication on my ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Problem with Kerberos Service

  1. Problem with Kerberos Service

    Hello, I'm italian user and my name is Luca.

    I'm working with Kerberos on my Ubuntu 6.10.

    I have installed the krb5 packages and configurated the kdc.conf and krb5.conf files. The files are configurate to test the authentication on my local machine.

    Now I am trying to active some kerberized service like telnet but I have some problem.

    So I've exec thi steps:

    1) Configure the /etc/hosts file:
    127.0.1.1 laptop
    192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
    127.0.0.1 localhost localhost.localdomain

    and I have configured the /etc/hostname file with this name "lukesky.epiluke.it"

    2) Configure krb5.conf file:

    [libdefaults]
    default_realm = EPILUKE.IT

  2. Re: Problem with Kerberos Service

    Firstly... Please don't use telnet. It's just bad. Use the ssh-krb5
    package instead.

    Moving on...

    You seem to have done everything correctly so far. I don't know if
    you've installed the
    libpam-krb5 package. If not, that may the problem. You should add the
    following lines
    to the following files;

    /etc/pam.d/common-auth
    auth sufficient pam_krb5.so ignore_root

    /etc/pam.d/common-account
    account required pam_krb5.so ignore_root

    /etc/pam.d/common-password
    password optional pam_krb5.so ignore_root

    /etc/pam.d/common-session
    session optional pam_krb5.so ignore_root


    man pam_krb5 will have more information on how to configure these
    options. You may need
    to add the following lines to /etc/ssh/sshd_config and restart the
    ssh-krb5 servive after installing
    the ssh-krb5 package.

    # GSSAPI options
    GSSAPIAuthentication yes
    GSSAPINoMICAuthentication yes
    GSSAPICleanupCredentials yes


    Hope this helps you some!

    Regards,
    Edward Murrell


    Luca Petrini wrote:
    > Hello, I'm italian user and my name is Luca.
    >
    > I'm working with Kerberos on my Ubuntu 6.10.
    >
    > I have installed the krb5 packages and configurated the kdc.conf and krb5.conf files. The files are configurate to test the authentication on my local machine.
    >
    > Now I am trying to active some kerberized service like telnet but I have some problem.
    >
    > So I've exec thi steps:
    >
    > 1) Configure the /etc/hosts file:
    > 127.0.1.1 laptop
    > 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
    > 127.0.0.1 localhost localhost.localdomain
    >
    > and I have configured the /etc/hostname file with this name "lukesky.epiluke.it"
    >
    > 2) Configure krb5.conf file:
    >
    > [libdefaults]
    > default_realm = EPILUKE.IT
    > .
    > .
    > [realms]
    > EPILUKE.IT = {
    > kdc = kdc.epiluke.it:88
    > admin_server = admin.epiluke.it:749
    > }
    > .
    > .
    > [domain_realm]
    > .epiluke.it = EPILUKE.IT
    > epiluke.it = EPILUKE.IT
    > .
    > .
    >
    > 3) Configure kdc.conf file:
    >
    > [kdcdefaults]
    > kdc_ports = 750,88
    >
    > [realms]
    > EPILUKE.IT = {
    > database_name = /var/lib/krb5kdc/principal
    > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
    > acl_file = /etc/krb5kdc/kadm5.acl
    > key_stash_file = /etc/krb5kdc/stash
    >
    > kadmin_port = 749
    >
    > max_life = 10h 0m 0s
    > max_renewable_life = 7d 0h 0m 0s
    > master_key_type = des3-hmac-sha1
    > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm desnlyrealm des:afs3
    > default_principal_flags = +preauth
    > }
    >
    > 4) Then I have created a db:
    > $/usr/sbin/kdb5_util create -r EPILUKE.IT -s
    >
    > 5) I have created on /etc/krb5kdc directory a new ACL file (kadm5.acl) with this rules:
    >
    > */admin@EPILUKE.IT *
    > */*@EPILUKE.IT i
    >
    > 6) I have execute kadmin.local:
    > >addpol -maxlife "180 days" -minlength 8 -minclasses 3 -history 3 user
    > >addpol -maxlife "90 days" -minlength 10 -minclasses 3 -history 6 admin
    > >addprinc -policy admin +requires_preauth krbadm/admin
    > >addprinc -policy user pippo
    > >ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw

    >
    > 7) I have started the server
    >
    > $/etc/init.d/krb5-kdc restart
    > $/etc/init.d/krb5-admin-server restart
    >
    > Then I have tested the servers:
    >
    > $kadmin -p krbadm/admin -> OK
    > $kinit pippo -> OK
    >
    > Now I would configure kerberized telnet service but it doesn't work; there is something wrong.
    >
    > 9) From kadmin I have defined:
    >
    > >addprinc host/lukesky.epiluke.it@EPILUKE.iT
    > >ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it@EPILUKE.IT (??? I'm not sure that it's correct)

    >
    > 10) I create a new file in /etc/xinet.d/ directory named telnet:
    >
    > service telnet
    > {
    > socket_type = stream
    > wait = no
    > nice = 10
    > user = root
    > server = /usr/sbin/telnetd
    > server_args = -h
    > }
    >
    > 11) I have restarted services
    >
    > $ /etc/init.d/xinetd restart
    >
    > Well, at this point I have exec by shell this command:
    >
    > $telnet -l pippo lukesky.epiluke.it
    >
    > but the results are:
    > Trying 192.168.182.254...
    > Connected to admin.epiluke.it (192.168.182.254).
    > Escape character is '^]'.
    > Password for pippo:
    > Login incorrect
    >
    > if I insert the password the system don't identify the credentials (that instead work on kinit command) and I can't entry on telnet service.
    >
    > Why?
    >
    > What can I do?
    >
    > Can you help me? I'm crazying!
    >
    > Thanks.
    >
    > ---------------------------------
    > Vinci i biglietti per FIFA World Cup in Germania!
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Problem with Kerberos Service

    Luca Petrini wrote:
    > Hello, I'm italian user and my name is Luca.
    >
    > I'm working with Kerberos on my Ubuntu 6.10.
    >
    > 1) Configure the /etc/hosts file:
    > 127.0.1.1 laptop
    > 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
    > 127.0.0.1 localhost localhost.localdomain
    >
    > and I have configured the /etc/hostname file with this name
    > "lukesky.epiluke.it"



    Change the 192.168 line in your /etc/hosts file to:
    192.168.182.254 lukesky.epiluke.it

    > 2) Configure krb5.conf file:
    >
    > [realms]
    > EPILUKE.IT = {
    > kdc = kdc.epiluke.it:88
    > admin_server = admin.epiluke.it:749
    > }


    For now, just use "lukesky.epiluke.it" for both kdc and admin_server.
    Once you get things working you can try setting up DNS aliases.

    > Now I would configure kerberized telnet service but it doesn't work;
    > there is something wrong.
    >
    > 9) From kadmin I have defined:
    >
    >> addprinc host/lukesky.epiluke.it@EPILUKE.iT
    >> ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it@EPILUKE.IT (???
    >> I'm not sure that it's correct)



    What does klist -kte (as root) show?

    Can you kinit -kt host/lukesky.epiluke.it@EPILUKE.IT on this machine?

    > Well, at this point I have exec by shell this command:
    >
    > $telnet -l pippo lukesky.epiluke.it


    What does kinit show before you run the above command?

    And try using:
    kinit pippo
    telnet -a -l pippo lukesky.epiluke.it

    > but the results are:
    > Trying 192.168.182.254...
    > Connected to admin.epiluke.it (192.168.182.254).
    > Escape character is '^]'.
    > Password for pippo:
    > Login incorrect


    If ktelnet is working correctly (and I assume you do indeed want to use
    ktelnet) you should not be prompted for a password. It should forward
    your Kerberos credentials to the telnetd server.

    gcs# kinit
    Password for cclausen@ILLIGAL.UIUC.EDU:
    gcs# telnet -a -l cclausen gcs.illigal.uiuc.edu
    Trying 128.174.193.202...
    Connected to gcs.illigal.uiuc.edu (128.174.193.202).
    Escape character is '^]'.
    [ Kerberos V5 accepts you as ``cclausen@ILLIGAL.UIUC.EDU'' ]
    Last login: Wed Dec 13 14:03:28 from ial.illigal.uiuc.edu
    Linux gcs 2.6.15-27-686 #1 SMP PREEMPT Fri Dec 8 18:00:07 UTC 2006 i686
    GNU/Linux
    gcs%
    gcs% exit
    Connection closed by foreign host.
    gcs# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: cclausen@ILLIGAL.UIUC.EDU
    Valid starting Expires Service principal
    02/08/07 02:20:37 02/08/07 12:20:37
    krbtgt/ILLIGAL.UIUC.EDU@ILLIGAL.UIUC.EDU
    renew until 02/09/07 02:20:34
    02/08/07 02:21:01 02/08/07 12:20:37
    host/gcs.illigal.uiuc.edu@ILLIGAL.UIUC.EDU
    renew until 02/09/07 02:20:34

    See the lack of any password prompt?

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Problem with Kerberos Service


    So,
    > What does klist -kte (as root) show?


    lukesky@lukesky:~$ sudo klist -kte
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp Principal
    ---- -----------------
    --------------------------------------------------------
    2 02/08/07 14:13:52 host/lukesky.epiluke.it@EPILUKE.IT (Triple DES cbc
    mode with HMAC/sha1)
    2 02/08/07 14:13:52 host/lukesky.epiluke.it@EPILUKE.IT (DES cbc mode with
    CRC-32)

    If I exec this commad I have this.


    >Can you kinit -kt host/lukesky.epiluke.it@EPILUKE.IT on this machine?


    lukesky@lukesky:~$ kinit -kt host/lukesky.epiluke.it@EPILUKE.IT
    kinit(v5): Client not found in Kerberos database while getting initial
    credentials

    and If I exec kinit and telnet I have:

    lukesky@lukesky:~$ kinit pippo
    Password for pippo@EPILUKE.IT:
    lukesky@lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
    Trying 192.168.182.121...
    Connected to admin.epiluke.it (192.168.182.121).
    Escape character is '^]'.
    Password for pippo:
    Login incorrect

    why? what mean?

    --------------------------------------------------------------------------------


    Christopher D. Clausen wrote:
    >
    > Luca Petrini wrote:
    >> Hello, I'm italian user and my name is Luca.
    >>
    >> I'm working with Kerberos on my Ubuntu 6.10.
    >>
    >> 1) Configure the /etc/hosts file:
    >> 127.0.1.1 laptop
    >> 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
    >> 127.0.0.1 localhost localhost.localdomain
    >>
    >> and I have configured the /etc/hostname file with this name
    >> "lukesky.epiluke.it"

    >
    >
    > Change the 192.168 line in your /etc/hosts file to:
    > 192.168.182.254 lukesky.epiluke.it
    >
    >> 2) Configure krb5.conf file:
    >>
    >> [realms]
    >> EPILUKE.IT = {
    >> kdc = kdc.epiluke.it:88
    >> admin_server = admin.epiluke.it:749
    >> }

    >
    > For now, just use "lukesky.epiluke.it" for both kdc and admin_server.
    > Once you get things working you can try setting up DNS aliases.
    >
    >> Now I would configure kerberized telnet service but it doesn't work;
    >> there is something wrong.
    >>
    >> 9) From kadmin I have defined:
    >>
    >>> addprinc host/lukesky.epiluke.it@EPILUKE.iT
    >>> ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it@EPILUKE.IT (???
    >>> I'm not sure that it's correct)

    >
    >
    > What does klist -kte (as root) show?
    >
    > Can you kinit -kt host/lukesky.epiluke.it@EPILUKE.IT on this machine?
    >
    >> Well, at this point I have exec by shell this command:
    >>
    >> $telnet -l pippo lukesky.epiluke.it

    >
    > What does kinit show before you run the above command?
    >
    > And try using:
    > kinit pippo
    > telnet -a -l pippo lukesky.epiluke.it
    >
    >> but the results are:
    >> Trying 192.168.182.254...
    >> Connected to admin.epiluke.it (192.168.182.254).
    >> Escape character is '^]'.
    >> Password for pippo:
    >> Login incorrect

    >
    > If ktelnet is working correctly (and I assume you do indeed want to use
    > ktelnet) you should not be prompted for a password. It should forward
    > your Kerberos credentials to the telnetd server.
    >
    > gcs# kinit
    > Password for cclausen@ILLIGAL.UIUC.EDU:
    > gcs# telnet -a -l cclausen gcs.illigal.uiuc.edu
    > Trying 128.174.193.202...
    > Connected to gcs.illigal.uiuc.edu (128.174.193.202).
    > Escape character is '^]'.
    > [ Kerberos V5 accepts you as ``cclausen@ILLIGAL.UIUC.EDU'' ]
    > Last login: Wed Dec 13 14:03:28 from ial.illigal.uiuc.edu
    > Linux gcs 2.6.15-27-686 #1 SMP PREEMPT Fri Dec 8 18:00:07 UTC 2006 i686
    > GNU/Linux
    > gcs%
    > gcs% exit
    > Connection closed by foreign host.
    > gcs# klist
    > Ticket cache: FILE:/tmp/krb5cc_0
    > Default principal: cclausen@ILLIGAL.UIUC.EDU
    > Valid starting Expires Service principal
    > 02/08/07 02:20:37 02/08/07 12:20:37
    > krbtgt/ILLIGAL.UIUC.EDU@ILLIGAL.UIUC.EDU
    > renew until 02/09/07 02:20:34
    > 02/08/07 02:21:01 02/08/07 12:20:37
    > host/gcs.illigal.uiuc.edu@ILLIGAL.UIUC.EDU
    > renew until 02/09/07 02:20:34
    >
    > See the lack of any password prompt?
    >
    > < >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Problem-with-K....html#a8865301
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Problem with Kerberos Service

    LukePet wrote:
    > So,
    >> What does klist -kte (as root) show?

    >
    > lukesky@lukesky:~$ sudo klist -kte
    > 2 02/08/07 14:13:52 host/lukesky.epiluke.it@EPILUKE.IT (Triple DES
    > cbc mode with HMAC/sha1)
    > 2 02/08/07 14:13:52 host/lukesky.epiluke.it@EPILUKE.IT (DES cbc
    > mode with CRC-32)
    >
    >> Can you kinit -kt host/lukesky.epiluke.it@EPILUKE.IT on this machine?

    >
    > lukesky@lukesky:~$ kinit -kt host/lukesky.epiluke.it@EPILUKE.IT
    > kinit(v5): Client not found in Kerberos database while getting initial
    > credentials


    Hmm... that looks bad. rm /etc/krb5.keytab and re-extract the
    host/lukesky.epiluke.it keytab into /etc/krb5.keytab from kadmin.

    > and If I exec kinit and telnet I have:
    >
    > lukesky@lukesky:~$ kinit pippo
    > Password for pippo@EPILUKE.IT:
    > lukesky@lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
    > Trying 192.168.182.121...
    > Connected to admin.epiluke.it (192.168.182.121).
    > Escape character is '^]'.
    > Password for pippo:
    > Login incorrect
    >
    > why? what mean?


    It means its not using Kerberos, likely b/c of the problem with the host
    keytab. If you get a password prompt Kerberos ticket forwarding has
    failed and I'd suggest simply Ctrl-C-ing out of telnet.

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Problem with Kerberos Service


    Then....I have deleted the krb5.keytab file

    after I have exect this istructions:
    lukesky@lukesky:~$ sudo kadmin -p krbadm/admin
    kadmin: ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it

    now I have this situation:
    lukesky@lukesky:~$ sudo klist -kte
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp Principal
    ---- -----------------
    --------------------------------------------------------
    3 02/13/07 09:56:24 host/lukesky.epiluke.it@EPILUKE.IT (Triple DES cbc
    mode with HMAC/sha1)
    3 02/13/07 09:56:24 host/lukesky.epiluke.it@EPILUKE.IT (DES cbc mode with
    CRC-32)

    but It is still wrong.....
    lukesky@lukesky:~$ kinit -kt host/lukesky.epiluke.it@EPILUKE.IT
    kinit(v5): Client not found in Kerberos database while getting initial
    credentials

    or

    lukesky@lukesky:~$ kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    kinit(v5): Permission denied while getting initial credentials

    or

    lukesky@lukesky:~$ kinit host/lukesky.epiluke.it@EPILUKE.IT
    Password for host/lukesky.epiluke.it@EPILUKE.IT:
    kinit(v5): Password incorrect while getting initial credentials

    ......I don't understand is really strange.

    What can I do?


    Christopher D. Clausen wrote:
    >
    > LukePet wrote:
    >> So,
    >>> What does klist -kte (as root) show?

    >>
    >> lukesky@lukesky:~$ sudo klist -kte
    >> 2 02/08/07 14:13:52 host/lukesky.epiluke.it@EPILUKE.IT (Triple DES
    >> cbc mode with HMAC/sha1)
    >> 2 02/08/07 14:13:52 host/lukesky.epiluke.it@EPILUKE.IT (DES cbc
    >> mode with CRC-32)
    >>
    >>> Can you kinit -kt host/lukesky.epiluke.it@EPILUKE.IT on this machine?

    >>
    >> lukesky@lukesky:~$ kinit -kt host/lukesky.epiluke.it@EPILUKE.IT
    >> kinit(v5): Client not found in Kerberos database while getting initial
    >> credentials

    >
    > Hmm... that looks bad. rm /etc/krb5.keytab and re-extract the
    > host/lukesky.epiluke.it keytab into /etc/krb5.keytab from kadmin.
    >
    >> and If I exec kinit and telnet I have:
    >>
    >> lukesky@lukesky:~$ kinit pippo
    >> Password for pippo@EPILUKE.IT:
    >> lukesky@lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
    >> Trying 192.168.182.121...
    >> Connected to admin.epiluke.it (192.168.182.121).
    >> Escape character is '^]'.
    >> Password for pippo:
    >> Login incorrect
    >>
    >> why? what mean?

    >
    > It means its not using Kerberos, likely b/c of the problem with the host
    > keytab. If you get a password prompt Kerberos ticket forwarding has
    > failed and I'd suggest simply Ctrl-C-ing out of telnet.
    >
    > < >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Problem-with-K....html#a8940805
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Problem with Kerberos Service

    On 2/13/07, LukePet wrote:
    >
    > Then....I have deleted the krb5.keytab file
    >
    > after I have exect this istructions:
    > lukesky@lukesky:~$ sudo kadmin -p krbadm/admin
    > kadmin: ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it
    >
    > now I have this situation:
    > lukesky@lukesky:~$ sudo klist -kte
    > Keytab name: FILE:/etc/krb5.keytab
    > KVNO Timestamp Principal
    > ---- -----------------
    > --------------------------------------------------------
    > 3 02/13/07 09:56:24 host/lukesky.epiluke.it@EPILUKE.IT (Triple DES cbc
    > mode with HMAC/sha1)
    > 3 02/13/07 09:56:24 host/lukesky.epiluke.it@EPILUKE.IT (DES cbc mode with
    > CRC-32)
    >
    > but It is still wrong.....
    > lukesky@lukesky:~$ kinit -kt host/lukesky.epiluke.it@EPILUKE.IT
    > kinit(v5): Client not found in Kerberos database while getting initial
    > credentials
    >
    > or
    >
    > lukesky@lukesky:~$ kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    > kinit(v5): Permission denied while getting initial credentials


    This was the closest to being correct. You did "sudo klist -kte"
    above to read the keytab. You must be root to read it here as well.
    So you'd need to do "sudo kinit -k host/lukesky.epiluke.it@EPILUKE.IT"
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Problem with Kerberos Service


    I tray and I have this:

    lukesky@lukesky:~$ kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    kinit(v5): Permission denied while getting initial credentials
    lukesky@lukesky:~$ sudo kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    lukesky@lukesky:~$

    is ok?

    but I'd a reply about telnet is correct like it work????


    Kevin Coffman wrote:
    >
    > On 2/13/07, LukePet wrote:
    >>
    >> Then....I have deleted the krb5.keytab file
    >>
    >> after I have exect this istructions:
    >> lukesky@lukesky:~$ sudo kadmin -p krbadm/admin
    >> kadmin: ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it
    >>
    >> now I have this situation:
    >> lukesky@lukesky:~$ sudo klist -kte
    >> Keytab name: FILE:/etc/krb5.keytab
    >> KVNO Timestamp Principal
    >> ---- -----------------
    >> --------------------------------------------------------
    >> 3 02/13/07 09:56:24 host/lukesky.epiluke.it@EPILUKE.IT (Triple DES cbc
    >> mode with HMAC/sha1)
    >> 3 02/13/07 09:56:24 host/lukesky.epiluke.it@EPILUKE.IT (DES cbc mode
    >> with
    >> CRC-32)
    >>
    >> but It is still wrong.....
    >> lukesky@lukesky:~$ kinit -kt host/lukesky.epiluke.it@EPILUKE.IT
    >> kinit(v5): Client not found in Kerberos database while getting initial
    >> credentials
    >>
    >> or
    >>
    >> lukesky@lukesky:~$ kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    >> kinit(v5): Permission denied while getting initial credentials

    >
    > This was the closest to being correct. You did "sudo klist -kte"
    > above to read the keytab. You must be root to read it here as well.
    > So you'd need to do "sudo kinit -k host/lukesky.epiluke.it@EPILUKE.IT"
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Problem-with-K....html#a8945653
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Problem with Kerberos Service

    LukePet wrote:
    > I tray and I have this:
    >
    > lukesky@lukesky:~$ kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    > kinit(v5): Permission denied while getting initial credentials
    > lukesky@lukesky:~$ sudo kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    > lukesky@lukesky:~$


    This is expected. The /etc/krb5.keytab is normally only readable as
    root.

    Presumably, a successful kinit as above means that your /etc/krb5.keytab
    file matches the principal on the KDC side. If you are still having
    problems, its likely not with the host keytab.

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Problem with Kerberos Service


    Ok and about telnet...waht can you tell me?

    "lukesky@lukesky:~$ kinit pippo
    Password for pippo@EPILUKE.IT:
    lukesky@lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
    Trying 192.168.182.185...
    Connected to lukesky.epiluke.it (192.168.182.185).
    Escape character is '^]'.
    [ Kerberos V5 accepts you as ``pippo@EPILUKE.IT'' ]
    Password for pippo:
    Login incorrect

    It seems that somethig is change...what mean [ Kerberos V5 accepts you as
    ``pippo@EPILUKE.IT'' ]????

    why does it ask "Password for pippo: "??? what have I to insert? "

    is ok?


    Christopher D. Clausen wrote:
    >
    > LukePet wrote:
    >> I tray and I have this:
    >>
    >> lukesky@lukesky:~$ kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    >> kinit(v5): Permission denied while getting initial credentials
    >> lukesky@lukesky:~$ sudo kinit -k host/lukesky.epiluke.it@EPILUKE.IT
    >> lukesky@lukesky:~$

    >
    > This is expected. The /etc/krb5.keytab is normally only readable as
    > root.
    >
    > Presumably, a successful kinit as above means that your /etc/krb5.keytab
    > file matches the principal on the KDC side. If you are still having
    > problems, its likely not with the host keytab.
    >
    > < >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Problem-with-K....html#a8963589
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: Problem with Kerberos Service

    LukePet wrote:
    > Ok and about telnet...waht can you tell me?
    >
    > "lukesky@lukesky:~$ kinit pippo
    > Password for pippo@EPILUKE.IT:
    > lukesky@lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
    > Trying 192.168.182.185...
    > Connected to lukesky.epiluke.it (192.168.182.185).
    > Escape character is '^]'.
    > [ Kerberos V5 accepts you as ``pippo@EPILUKE.IT'' ]
    > Password for pippo:
    > Login incorrect
    >
    > It seems that somethig is change...what mean [ Kerberos V5 accepts
    > you as ``pippo@EPILUKE.IT'' ]????
    >
    > why does it ask "Password for pippo: "??? what have I to insert? "


    I don't know why it asks for a password. The "Kerberos accepts you as"
    message should indicate that telnetd has received forwarded Kerberos
    credentials from your telnet client.

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. Re: Problem with Kerberos Service


    So this is my situation:

    I have configurated the kerberized service FTP and Telnet.

    Then I have added two user principals on my db; specificly I have executed
    this istructions:

    kadmin: listprincs
    K/M@EPILUKE.IT
    ftp/lukesky.epiluke.it@EPILUKE.IT
    host/lukesky.epiluke.it@EPILUKE.IT
    kadmin/admin@EPILUKE.IT
    kadmin/changepw@EPILUKE.IT
    kadmin/history@EPILUKE.IT
    kadmin/lukesky.epiluke.it@EPILUKE.IT
    krbadm/admin@EPILUKE.IT
    krbtgt/EPILUKE.IT@EPILUKE.IT
    kadmin: addprinc -policy user lukesky
    Enter password for principal "lukesky@EPILUKE.IT":
    Re-enter password for principal "lukesky@EPILUKE.IT":
    Principal "lukesky@EPILUKE.IT" created.
    kadmin: addprinc -policy user romaluca
    Enter password for principal "romaluca@EPILUKE.IT":
    Re-enter password for principal "romaluca@EPILUKE.IT":
    Principal "romaluca@EPILUKE.IT" created.
    kadmin: quit
    lukesky@lukesky:~$ kinit lukesky
    Password for lukesky@EPILUKE.IT:
    lukesky@lukesky:~$ ftp lukesky.epiluke.it
    Connected to lukesky.epiluke.it.
    220 lukesky.epiluke.it FTP server (Version 5.60) ready.
    334 Using authentication type GSSAPI; ADAT must follow
    GSSAPI accepted as authentication type
    GSSAPI authentication succeeded
    Name (lukesky.epiluke.it:lukesky): lukesky (----------------------> is
    right write 'lukesky' like Name?)
    232 GSSAPI user lukesky@EPILUKE.IT is authorized as lukesky
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> 221 Goodbye.

    but if I use romaluca like user I have this:

    lukesky@lukesky:~$ kinit romaluca
    Password for romaluca@EPILUKE.IT:
    lukesky@lukesky:~$ ftp lukesky.epiluke.it
    Connected to lukesky.epiluke.it.
    220 lukesky.epiluke.it FTP server (Version 5.60) ready.
    334 Using authentication type GSSAPI; ADAT must follow
    GSSAPI accepted as authentication type
    GSSAPI authentication succeeded
    Name (lukesky.epiluke.it:lukesky): romaluca
    331 GSSAPI user romaluca@EPILUKE.IT is not authorized as romaluca; Password
    required.
    Password: (------------> why does it ask me a password?)

    With lukesky it seems work correctly but with romaluca it work differently.

    Can you explain this behavior??? I don't understand.




    Jeffrey Altman-2 wrote:
    >
    > Christopher D. Clausen wrote:
    >> LukePet wrote:
    >>> Ok and about telnet...waht can you tell me?
    >>>
    >>> "lukesky@lukesky:~$ kinit pippo
    >>> Password for pippo@EPILUKE.IT:
    >>> lukesky@lukesky:~$ telnet -a -l pippo lukesky.epiluke.it
    >>> Trying 192.168.182.185...
    >>> Connected to lukesky.epiluke.it (192.168.182.185).
    >>> Escape character is '^]'.
    >>> [ Kerberos V5 accepts you as ``pippo@EPILUKE.IT'' ]
    >>> Password for pippo:
    >>> Login incorrect
    >>>
    >>> It seems that somethig is change...what mean [ Kerberos V5 accepts
    >>> you as ``pippo@EPILUKE.IT'' ]????
    >>>
    >>> why does it ask "Password for pippo: "??? what have I to insert? "

    >>
    >> I don't know why it asks for a password. The "Kerberos accepts you as"
    >> message should indicate that telnetd has received forwarded Kerberos
    >> credentials from your telnet client.
    >>

    > The Kerberos v5 accepts you message only indicates that Kerberos
    > authentication
    > has succeeded. It does not indicate whether or not there actually
    > exists a local
    > account 'pippo' on the machine, or whether the Kerberos principal
    > 'pippo@EPILUKE.IT'
    > maps to that account.
    >
    > Nor does the accepts message indicate anything about forwarded
    > credentials. If
    > credentials were forwarded you would see a "remote machine has accepted
    > forwarded
    > credentials" message.
    >
    > The above telnet session is not using mutual authentication. That
    > would be indicated
    > by a "remove machine has been mutually authenticated" message and if
    > there was
    > encryption you would be seeing "output is now encrypted" and "input is
    > now decrypted"
    > messages.
    >
    > Jeffrey Altman
    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Problem-with-K....html#a9043785
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread