Authentication using the KRB5A method issues (AIX-AD) - Kerberos

This is a discussion on Authentication using the KRB5A method issues (AIX-AD) - Kerberos ; I did the single sign on working, but now Im trying to do aix authenticate using kerberos to a 2003 AD without ticket verification (non single sign on) Now..the password changes in AD is immediately noticed by cleint(AIX). But I ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Authentication using the KRB5A method issues (AIX-AD)

  1. Authentication using the KRB5A method issues (AIX-AD)



    I did the single sign on working, but now Im trying to do aix
    authenticate using kerberos to a 2003 AD without ticket verification
    (non single sign on)

    Now..the password changes in AD is immediately noticed by cleint(AIX).

    But I still have problem with ssh telnet and ftp.

    and i have my tgt_verify flag=false in order not to use keytab file...

    I can use the same user's password on the aix machine (even after
    password reset in AD)
    bash-3.00# /usr/krb5/bin/kinit test5
    Password for test5@DALABB.VOLVO.NET :
    bash-3.00#


    but not ssh, telnet or ftp...

    ssh result:
    ----------
    bash-3.00# ssh test4@vx32
    test4@vx32's password:
    Permission denied, please try again.
    test4@vx32's password:

    telnet result:
    ------------
    [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
    failed: Unsupported key table format version number ]
    [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
    failed: Unsupported key table format version number ]

    telnet (vx32)

    AIX Version 5
    (C) Copyrights by IBM and by others 1982, 2005.
    login: test4
    test4's Password:
    3004-007 You entered an invalid login name or password.
    login:


    my krb5.conf (this is thousandth time edited file already)...but this
    one works with the single sign on...
    ====================================
    [libdefaults]
    default_realm = X.Y.NET
    # default_keytab_name = FILE:/etc/krb5/krb5.keytab //someone asked me to
    try to comment it but ti don't make a different
    # default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
    des-cbc-md5 des-cbc-crc
    # default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
    des-cbc-md5 des-cbc-crc
    default_tkt_enctypes = des-cbc-crc des-cbc-md5
    default_tgs_enctypes = des-cbc-crc des-cbc-md5
    [realms]
    X.Y.NET = {
    kdc = abc.x.y.net:88
    admin_server = abc.x.y.net:749
    default_domain = x.y.net
    }

    [domain_realm]
    ..x.y.net = X.Y.NET
    abc.x.y.net = X.Y.NET
    # abc.x.y.net = X.Y.NET

    [logging]
    kdc = FILE:/var/krb5/log/krb5kdc.log
    admin_server = FILE:/var/krb5/log/kadmin.log
    default = FILE:/var/krb5/log/krb5lib.log
    =======================================
    my methods.cfg (also edited thousandth times too)
    =======================================
    KRB5A:
    program = /usr/lib/security/KRB5A
    program_64 = /usr/lib/security/KRB5A_64
    # options = authonly
    options = tgt_verify = no

    KRB5Afiles:
    options = db=BUILTIN,auth=KRB5A

    NIS:
    program = /usr/lib/security/NIS
    program_64 = /usr/lib/security/NIS_64

    DCE:
    program = /usr/lib/security/DCE

    LDAP:
    program = /usr/lib/security/LDAP
    program_64 = /usr/lib/security/LDAP64

    PAM:
    program = /usr/lib/security/PAM

    PAMfiles:
    options = auth=PAM,db=BUILTIN
    ======================================

    This is how I make user in aix(client):

    bash-3.00# mkuser registry=KRB5Afiles SYSTEM=KRB5Afiles
    auth_domain=dalabb.volvo.net test5
    bash-3.00# su test5
    bash-3.00# whoami
    test5
    bash-3.00# lsauthent
    Kerberos 5
    Standard Aix
    bash-3.00# echo $AUTHSTATE
    compat
    When I tried ssh -v, below is the output: It's still prompt for the
    password again

    bash-3.00# ssh -v test5@vx32
    OpenSSH_4.2p1, OpenSSL 0.9.7c 30 Sep 2003
    debug1: Reading configuration data
    /soe3/opt/openssh-4.2p1/etc/ssh_config
    debug1: Connecting to vx32 [131.97.95.41] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /.ssh/identity type -1
    debug1: identity file /.ssh/id_rsa type -1
    debug1: identity file /.ssh/id_dsa type -1
    debug1: Remote protocol version 1.99, remote software version
    OpenSSH_4.2
    debug1: match: OpenSSH_4.2 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.2
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'vx32' is known and matches the DSA host key.
    debug1: Found key in /.ssh/known_hosts:4
    debug1: ssh_dss_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /.ssh/identity
    debug1: Trying private key: /.ssh/id_rsa
    debug1: Trying private key: /.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    test5@vx32's password:
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    Permission denied, please try again.
    test5@vx32's password:


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Authentication using the KRB5A method issues (AIX-AD)

    Mohamad Nurhafiza wrote:
    > I did the single sign on working, but now Im trying to do aix
    > authenticate using kerberos to a 2003 AD without ticket verification
    > (non single sign on)
    >
    > Now..the password changes in AD is immediately noticed by cleint(AIX).
    >
    > But I still have problem with ssh telnet and ftp.
    >
    > and i have my tgt_verify flag=false in order not to use keytab file...
    >
    > I can use the same user's password on the aix machine (even after
    > password reset in AD)
    > bash-3.00# /usr/krb5/bin/kinit test5
    > Password for test5@DALABB.VOLVO.NET
    > : bash-3.00#


    Is that kinit part of the AIX krb.client.rte fileset? Or are you using
    MIT Kerberos that you compiled from source?

    > but not ssh, telnet or ftp...
    >
    > ssh result:
    > ----------
    > bash-3.00# ssh test4@vx32
    > test4@vx32's password:
    > Permission denied, please try again.
    > test4@vx32's password:


    Thats pretty useless. Run sshd as sshd -D -ddd -p 222 and then run
    ssh -vvv -p 222 and send the output of both so that you can actually
    check for errors.

    > telnet result:
    > ------------
    > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
    > failed: Unsupported key table format version number ]
    > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
    > failed: Unsupported key table format version number ]


    That is omewhat more useful. As it states above, there is something in
    the keytab file that telnet doesn't like.

    Run klist -k /var/krb5/security/keytab/`hostname`.keytab as root. If
    that doesn't work, look in /var/krb5/security/keytab/ for an old keytab
    file and possibly delete or rename it. AIX looks there for a keytab
    file by default, instead of the usual /etc/krb5.keytab or
    /etc/krb5/krb5.keytab.

    > my krb5.conf (this is thousandth time edited file already)...but this
    > one works with the single sign on...
    > ====================================
    > [libdefaults]
    > default_realm = X.Y.NET
    > # default_keytab_name = FILE:/etc/krb5/krb5.keytab //someone asked me
    > to try to comment it but ti don't make a different
    > # default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
    > des-cbc-md5 des-cbc-crc
    > # default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
    > des-cbc-md5 des-cbc-crc
    > default_tkt_enctypes = des-cbc-crc des-cbc-md5
    > default_tgs_enctypes = des-cbc-crc des-cbc-md5


    Its generally a bad idea to hardcode enctypes like the above. I'd
    recomend commenting out the above two lines.

    > KRB5A:
    > program = /usr/lib/security/KRB5A
    > program_64 = /usr/lib/security/KRB5A_64
    > # options = authonly
    > options = tgt_verify = no


    Hmm... Try options = tgt_verify=no just in case the spaces matter. In
    theory this should prevent KRB5A from looking at the keytab, but from
    the telnet output, it seems that either telnetd is still rying to do
    Kerberos/GSSAPI authentication or the tgt_verify option isn't working.

    And can you get the KDC logs when you try using ssh or telnet?

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Authentication using the KRB5A method issues (AIX-AD)

    Mohamad Nurhafiza wrote:
    > Yes it's part from krb.client.rte fileset (AIX CD)
    >
    > bash-3.00# /usr/krb5/bin/klist -k
    > Keytab name: FILE:/etc/krb5/krb5.keytab
    > Unable to start keytab scan.
    > Status 0x96c73ad5 - Unsupported key table format version
    > number.
    > bash-3.00# /usr/krb5/bin/klist -k /var/krb5/keytab/vx32.keytab
    > Keytab name: FILE:/var/krb5/keytab/vx32.keytab
    > Unable to start keytab scan.
    > Status 0x2 - A file or directory in the path name does not
    > exist..


    rm /etc/krb5/krb5.keytab
    and try telnet / ssh again.

    And please reply to the list and not me directly.

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. RE: Authentication using the KRB5A method issues (AIX-AD)




    -----Original Message-----
    From: Christopher D. Clausen [mailto:cclausen@acm.org]
    Sent: Thursday, February 15, 2007 4:35 AM
    To: Mohamad Nurhafiza
    Cc: kerberos@mit.edu
    Subject: Re: Authentication using the KRB5A method issues (AIX-AD)

    Mohamad Nurhafiza wrote:
    > Yes it's part from krb.client.rte fileset (AIX CD)
    >
    > bash-3.00# /usr/krb5/bin/klist -k
    > Keytab name: FILE:/etc/krb5/krb5.keytab
    > Unable to start keytab scan.
    > Status 0x96c73ad5 - Unsupported key table format version
    > number.
    > bash-3.00# /usr/krb5/bin/klist -k /var/krb5/keytab/vx32.keytab
    > Keytab name: FILE:/var/krb5/keytab/vx32.keytab
    > Unable to start keytab scan.
    > Status 0x2 - A file or directory in the path name does not
    > exist..


    rm /etc/krb5/krb5.keytab
    and try telnet / ssh again.

    A:
    After remove and ls-la

    bash-3.00# cd /etc/krb5
    bash-3.00# ls -la
    total 120
    drwxr-xrwx 2 root security 512 Feb 14 23:05 .
    drwxr-xr-x 29 root system 3584 Feb 14 21:29 ..
    -rw------- 1 root system 76 Feb 06 05:30 krb5.keytab
    -rw------- 1 v0as034 staff 8
    -rw-r--r-- 1 root system 912 Dec 13 05:40 krb5.131206
    -rw-r--r-- 1 v0as034 staff 888 Oct 16 08:01 krb5.bak
    -rw-r--r-- 1 root security 944 Feb 14 11:40 krb5.conf
    -rw-r--r-- 1 v0as034 staff 748 Oct 12 12:25
    krb5.conf.121006
    -rw-r--r-- 1 root system 1016 Dec 19 16:18 krb5.conf.ds
    -rw-r----- 1 v0as034 staff 1150 Sep 18 11:31 krb5.conf.org
    -rw-r--r-- 1 root system 709 Dec 19 16:05 krb5.conf.preds
    -rw------- 1 root system 160 Dec 19 08:42 krb5.keytab
    -rw-r--r-- 1 root security 785 Oct 13 05:17 krb5.tmp
    -rw-r--r-- 1 root system 7 Feb 12 05:59 krb5_cfg_type
    -rw------- 1 root system 76 Feb 05 07:09 krb5.keytab
    try again remove

    bash-3.00# rm /etc/krb5/krb5.keytab
    rm: /etc/krb5/krb5.keytab: A file or directory in the path name does not
    exist.


    //is there anything wrong with the ssh logs ?
    TQ



    <


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread