Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with Kerbereox/ldapux/sshd vs. Active Directory

Danny Petterson - DK
Trusted Contributor

Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hi Gurus!

We authenticate unix-users against AD, using Kerberos/PAM/ldapux/sshd - and it usualy works fine.

But right now we have a strange problem with one machine, giving us these errors in syslog when we try to login:

Feb 8 14:42:08 SERVER sshd[8114]: [Key table entry not found] Unable to verify host ticket
Feb 8 14:42:08 SERVER sshd[8114]: [Key table entry not found] can't verify v5 ticket: ; keytab found, assuming failure
Feb 8 14:42:08 SERVER sshd[8114]: while verifying tgt[Unknown code ____ 255]
Feb 8 14:42:08 SERVER sshd[8114]: [Authentication failed] Password not valid
Feb 8 14:42:10 SERVER sshd[8114]: error: PAM: No account present for user for myuser.in.AD

Kerberos from the prompt (using kdestroy, kinit, klist) works fine, pamkrbval works, pwget for users in the ldap-directory works, etc....I have NO idea what the problem is, as it usually works.

Thanks in advance
Danny
11 REPLIES
Danny Petterson - DK
Trusted Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hm - maybe I was to hasty, so the post above lacks a lot of information:

This is the software installed on the host:

kinit -kt /etc/krb5.keytab host/backup9F@VELUX.ORG

...works fine, indicating that the keytab-file is ok.

Software installed:
LDAPUX B.04.20 LDAP-UX Integration
PAMKerberos D.01.26 PAM-Kerberos Version 1.26
ixPAMmkdir A.10.00-1.0.002 Home Directory Creation
PHSS_40655 1.0 KRB5-Client Version 1.3.5.03 Cumulative patch
SecureShell A.05.10.026 HP-UX Secure Shell


sshd_config is configured for using PAM and kerberos.

Sorry for the missing information - hope somebody have an idea about what to look for.

Thanks in advance
Danny
RC Park
Frequent Advisor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Until someone comes along that knows more, I'll take a stab :)

1. Did I understand correctly that you have several systems running the same configuration, but only one giving you trouble? If so please review what changes happened to the server within the last 7 days prior to the problem starting.

2. Whether or not you can identify any changes, you need to begin the debugging process, which anyone with any long-term support experience will tell you is the same regardless of platform. It's a process of elimination. Start with verifying the various stages of the process. Keep ruling out things that are associated with functioning portions of this until you're left looking at that which doesn't funciton. Break down larger processes into their component steps and make sure you understand every one and that it's all working, for somewhere along the line, you'll find your problem.
3. Comparison - not knowing 'ldapux', I can't be specific, but review any configs, files, directories associated with this product and compare them to working versions on the servers without issues.

I could go on, but this is a start...

-RCP
Sameer_Nirmal
Honored Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Not sure what do you mean by saying "it usually works".

Maybe the access to the system is in the form of FQHN?

I would check if kvno values and encryption types matches besides host credentials.
Danny Petterson - DK
Trusted Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hi Guys!

I finally got it to work - it was ALL me apparently, sorry guys :-( - it looks like a letter in the principal-name was uppercase in the keytab, but for some reason not on the KDC. This make the unknown error 255 apparently. Anyway, another thing that puzzles me, is that while testing, I tried to remove the keytab-file entirely - which make login using AD-accounts work. I didn't know that was possible? It just told me, as the keytab file was missing, it was assuming success.

But bottomline - thanks for the help guys, you rule.

Yours
Danny
Chandrahasa s
Valued Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hi Danny,

We looking for same solution what u have now to authoricate unix system in ad
Can you provide detail procedure to do this

Chandra
Danny Petterson - DK
Trusted Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hi!

Well - thank god HP has made a excellent document since I implemented the solution, describing in detail what you should do:

http://docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Good luck :-)

Greetings
Danny
Danny Petterson - DK
Trusted Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Closed
Chandrahasa s
Valued Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hi,
Can you pls conform hpux ldap is free or need to purchase??

Chandra
Danny Petterson - DK
Trusted Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Chandrahasa s
Valued Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Hi,

Its one more question to you--we want use ads only for storing user and group attributes and to centralised athorizing users for unix servers.For this is it necessary to configure cifs and kerbrose auth for this??.

Chandra....
Danny Petterson - DK
Trusted Contributor

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Kerberos yes, CIFS no