Re: Lots of UNKNOWN_SERVER this time... whoa - Kerberos

This is a discussion on Re: Lots of UNKNOWN_SERVER this time... whoa - Kerberos ; Hi Russ, > Your PAM module seems to be probing for a default realm by > trying various manipulations of your local hostname. Usually > this would indicate that your krb5.conf isn't setting a local > realm. Here's /etc/krb5.conf. Using ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: Lots of UNKNOWN_SERVER this time... whoa

  1. Re: Lots of UNKNOWN_SERVER this time... whoa

    Hi Russ,

    > Your PAM module seems to be probing for a default realm by
    > trying various manipulations of your local hostname. Usually
    > this would indicate that your krb5.conf isn't setting a local
    > realm.


    Here's /etc/krb5.conf. Using 'kinit jblaine' asks me for
    the password for jblaine@RCF.FOO.COM, so I believe it is
    using krb5.conf fine.

    [libdefaults]
    default_realm = RCF.FOO.COM
    forwardable = yes

    [appdefaults]
    forwardable = yes

    [domain_realm]
    .foo.com = RCF.FOO.COM
    foo.com = RCF.FOO.COM

    [realms]
    RCF.FOO.COM = {
    kdc = kdc.foo.com
    admin_server = kdc.foo.com
    }

    [logging]
    kdc = FILE:/var/adm/krb5kdc.log
    admin_server = FILE:/var/adm/kadmin.log
    default = FILE:/var/adm/krb5lib.log

    > Does the stock pam_krb5.so on Solaris look for krb5.conf in
    > some different path than the one that you updated, perhaps?


    The only Solaris box in the picture is the KDC, kdc.foo.com.

    pam_krb5.so is in use on the client, rcf-kerbtest-linux.foo.com
    (aka 129.83.11.213).

    All pam_krb5.so modules in use are stock.

    >> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ
    >> (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,
    >> jblaine@RCF.FOO.COM for afsx/rcf.foo.com@RCF.FOO.COM, Server not
    >> found in Kerberos database

    >
    > These are interesting. I've not heard of afsx before. What aklog
    > are you using?


    Interesting indeed. OpenAFS 1.4.3 aklog.

    I just found the reference in the RHELv4 pam_krb5.so
    on the client box:

    # strings /lib/security/pam_krb5.so | grep afsx
    afsx
    #
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Lots of UNKNOWN_SERVER this time... whoa

    I think I see part of the problem, and don't know who is
    to "blame" for it.

    The command 'kdb5_util create -r RCF.FOO.COM -s' created
    krbtgt/RCF.FOO.COM@RCF.FOO.COM

    The authentication process is trying to find
    krbtgt/rcf.foo.com@RCF.FOO.COM which does not exist.

    Is kdb5_util creating an improperly named krbtgt principal
    or is RHELv4 pam_krb5.so improperly naming its requested
    principal (lowercasing it)?

    Jeff Blaine wrote:
    > Hi Russ,
    >
    > > Your PAM module seems to be probing for a default realm by
    > > trying various manipulations of your local hostname. Usually
    > > this would indicate that your krb5.conf isn't setting a local
    > > realm.

    >
    > Here's /etc/krb5.conf. Using 'kinit jblaine' asks me for
    > the password for jblaine@RCF.FOO.COM, so I believe it is
    > using krb5.conf fine.
    >
    > [libdefaults]
    > default_realm = RCF.FOO.COM
    > forwardable = yes
    >
    > [appdefaults]
    > forwardable = yes
    >
    > [domain_realm]
    > .foo.com = RCF.FOO.COM
    > foo.com = RCF.FOO.COM
    >
    > [realms]
    > RCF.FOO.COM = {
    > kdc = kdc.foo.com
    > admin_server = kdc.foo.com
    > }
    >
    > [logging]
    > kdc = FILE:/var/adm/krb5kdc.log
    > admin_server = FILE:/var/adm/kadmin.log
    > default = FILE:/var/adm/krb5lib.log
    >
    > > Does the stock pam_krb5.so on Solaris look for krb5.conf in
    > > some different path than the one that you updated, perhaps?

    >
    > The only Solaris box in the picture is the KDC, kdc.foo.com.
    >
    > pam_krb5.so is in use on the client, rcf-kerbtest-linux.foo.com
    > (aka 129.83.11.213).
    >
    > All pam_krb5.so modules in use are stock.
    >
    > >> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ
    > >> (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,
    > >> jblaine@RCF.FOO.COM for afsx/rcf.foo.com@RCF.FOO.COM, Server not
    > >> found in Kerberos database

    > >
    > > These are interesting. I've not heard of afsx before. What aklog
    > > are you using?

    >
    > Interesting indeed. OpenAFS 1.4.3 aklog.
    >
    > I just found the reference in the RHELv4 pam_krb5.so
    > on the client box:
    >
    > # strings /lib/security/pam_krb5.so | grep afsx
    > afsx
    > #
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Lots of UNKNOWN_SERVER this time... whoa

    >The authentication process is trying to find
    >krbtgt/rcf.foo.com@RCF.FOO.COM which does not exist.
    >
    >Is kdb5_util creating an improperly named krbtgt principal
    >or is RHELv4 pam_krb5.so improperly naming its requested
    >principal (lowercasing it)?


    As a guess, I believe that pam_krb5.so thinks that it needs to authenticate
    to the realm rcf.foo.com, so it's asking for a cross-realm ticket to go
    between rcf.foo.com and RCF.FOO.COM. I don't see anything in your
    krb5.conf that would make it think that, but something is hinky here.

    (It's definately not a problem on your KDC, FWIW).

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Lots of UNKNOWN_SERVER this time... whoa

    I believe I am chalking this (original reported issue)
    up to a broken sshd_config, believe it or not. All of
    the crazy UNKNOWN_SERVER errors are gone.

    UsePAM was yes, ChallengeResponseAuthentication was "no"
    so no PAM auth was being used. Don't ask me how, but I
    was getting in somehow and getting creds after a 10sec
    delay and the spammy errors.

    I forced all GSSAPI and Kerberos options to "no" and left
    ChallengeResponseAuthentication and UsePAM as "yes".

    NOW I get right in ... and *end up with no stored* krb5
    credentials. krb5kdc.log shows them acquired.

    client sshd[19529]: pam_krb5[19529]: configured realm 'RCF.FOO.COM'
    client sshd[19529]: pam_krb5[19529]: flags: forwardable
    client sshd[19529]: pam_krb5[19529]: flag: no ignore_afs

    ^^^ HUH? Flag not even in man page.

    client sshd[19529]: pam_krb5[19529]: flag: user_check
    client sshd[19529]: pam_krb5[19529]: flag: no krb4_convert

    ^^^ NOTE

    client sshd[19529]: pam_krb5[19529]: flag: warn
    client sshd[19529]: pam_krb5[19529]: ticket lifetime: 0
    client sshd[19529]: pam_krb5[19529]: renewable lifetime: 0
    client sshd[19529]: pam_krb5[19529]: minimum uid: 100
    client sshd[19529]: pam_krb5[19529]: banner: Kerberos 5
    client sshd[19529]: pam_krb5[19529]: ccache dir: /tmp
    client sshd[19529]: pam_krb5[19529]: keytab: /etc/krb5.keytab
    client sshd[19529]: pam_krb5[19529]: called to authenticate 'jblaine'
    client sshd[19529]: pam_krb5[19529]: authenticating 'jblaine@RCF.FOO.COM'
    client sshd[19529]: pam_krb5[19529]: saving newly-entered password for
    use by other modules
    client sshd[19529]: pam_krb5[19529]: trying newly-entered password for
    'jblaine'
    client sshd[19529]: pam_krb5[19529]: authenticating
    'jblaine@RCF.FOO.COM' to 'krbtgt/RCF.FOO.COM@RCF.FOO.COM'
    client sshd[19529]: pam_krb5[19529]:
    krb5_get_init_creds_password(krbtgt/RCF.FOO.COM@RCF.FOO.COM) returned 0
    (Success)
    client sshd[19529]: pam_krb5[19529]: got result 0 (Success)
    client sshd[19529]: pam_krb5[19529]: obtaining v4-compatible key

    ^^^ WHY!?

    client sshd[19529]: pam_krb5[19529]: obtained des-cbc-crc v5 creds
    client sshd[19529]: pam_krb5[19529]: converting v5 creds to v4 creds
    (etype = 1)
    client sshd[19529]: pam_krb5[19529]: conversion failed: -1765328228
    (Cannot contact any KDC for requested realm)

    ^^^ GRRRR

    client sshd[19529]: pam_krb5[19529]: obtaining initial v4 creds
    client sshd[19529]: pam_krb5[19529]: converted principal to
    'jblaine'[.]''@'RCF.FOO.COM'
    client sshd[19529]: pam_krb5[19529]: preparing to place v4 credentials
    in '/tmp/tkt26560_Hf9DpJ'
    client sshd[19529]: pam_krb5[19529]: could not obtain initial v4 creds:
    7 (Argument list too long)
    client sshd[19529]: pam_krb5[19529]: error obtaining v4 creds: 57
    (Invalid slot)

    ^^^ WTF?

    client sshd[19529]: pam_krb5[19529]: authentication succeeds for
    'jblaine' (jblaine@RCF.FOO.COM)
    client sshd[19529]: pam_krb5[19529]: pam_authenticate returning 0 (Success)

    ============== KDC REPORTS JUST THEN ================================
    kdc krb5kdc[1862](info): AS_REQ (7 etypes {18 17 16 23 1 3 2})
    129.83.11.213: ISSUE: authtime 1177969934, etypes {rep=16 tkt=16
    ses=16}, jblaine@RCF.FOO.COM for krbtgt/RCF.FOO.COM@RCF.FOO.COM

    kdc krb5kdc[1862](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE:
    authtime 1177969934, etypes {rep=16 tkt=16 ses=1}, jblaine@RCF.FOO.COM
    for krbtgt/RCF.FOO.COM@RCF.FOO.COM
    ============== END KDC REPORT =======================================

    client sshd[19527]: Accepted keyboard-interactive/pam for jblaine from
    ::ffff:129.83.10.14 port 43521 ssh2
    client sshd(pam_unix)[19530]: session opened for user jblaine by (uid=0)
    client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
    client sshd[19530]: pam_krb5[19530]: flags: forwardable
    client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
    client sshd[19530]: pam_krb5[19530]: flag: user_check
    client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
    client sshd[19530]: pam_krb5[19530]: flag: warn
    client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
    client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
    client sshd[19530]: pam_krb5[19530]: minimum uid: 100
    client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
    client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
    client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
    client sshd[19530]: pam_krb5[19530]: no v5 creds for user 'jblaine',
    skipping session setup

    ^^^ NOTE

    client sshd[19530]: pam_krb5[19530]: pam_open_session returning 0 (Success)
    client sshd[19530]: (pam_afs_session): pam_sm_open_session: entry (0x0)
    client sshd[19530]: (pam_afs_session): skipping, no Kerberos ticket cache

    ^^^ NOTE

    client sshd[19530]: (pam_afs_session): pam_sm_open_session: exit (success)
    client sshd[19530]: pam_krb5[19530]: configured realm 'RCF.FOO.COM'
    client sshd[19530]: pam_krb5[19530]: flags: forwardable
    client sshd[19530]: pam_krb5[19530]: flag: no ignore_afs
    client sshd[19530]: pam_krb5[19530]: flag: user_check
    client sshd[19530]: pam_krb5[19530]: flag: no krb4_convert
    client sshd[19530]: pam_krb5[19530]: flag: warn
    client sshd[19530]: pam_krb5[19530]: ticket lifetime: 0
    client sshd[19530]: pam_krb5[19530]: renewable lifetime: 0
    client sshd[19530]: pam_krb5[19530]: minimum uid: 100
    client sshd[19530]: pam_krb5[19530]: banner: Kerberos 5
    client sshd[19530]: pam_krb5[19530]: ccache dir: /tmp
    client sshd[19530]: pam_krb5[19530]: keytab: /etc/krb5.keytab
    client sshd[19530]: pam_krb5[19530]: called to update credentials for
    'jblaine'
    client sshd[19530]: pam_krb5[19530]: _pam_krb5_sly_refresh returning 0
    (Success)

    ================================================== ====================

    debug1: Authentication succeeded (keyboard-interactive).
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    ....
    ~:client> /usr/kerberos/bin/klist
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_26560)


    Kerberos 4 ticket cache: /tmp/tkt26560
    klist: You have no tickets cached
    ~:client>
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread