Re: Kerberos Login Issues

Josh Kelley · ‎02-19-2007

I have been trying to get Kerberos to authenicate against the Active Directory server we have here. The Redhat Linux test worked fine so I've moved on to HPUX. After we loaded krb5client 1.3.5.05, kinit was able to worked fine. Then we modified /etc/pam.conf just like the sample file. When I try to use my Active Directory password through ssh, it fails.

Here is a copy of /etc/krb5.conf
[logging]
default = FILE:/var/adm/krb5lib.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log

[libdefaults]
ticket_liftetime = 24000
default_realm = AD.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
AD.COMPANY.COM = {
kdc = DC01.AD.COMPANY.COM
admin_server = DC01.AD.COMPANY.COM
}

[domain_realm]
ad.company.com = AD.COMPANY.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

This is pam.conf, just the authenication section:

login auth sufficient /usr/lib/security/libpam_krb5.1 debug
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1

Here is what's in syslog:

Feb 19 13:42:38 redoak login: [Cannot find KDC for requested realm] Unable to verify Kerberos V5 TGT: [redoak.company.com]
Feb 19 13:42:38 redoak login: Kerberos V5 TGT bad: Cannot find KDC for requested realm
Feb 19 13:42:38 redoak login: while verifying tgt[Unknown code ____ 255]
Feb 19 13:42:38 redoak login: [Authentication failed] Password not valid

Any help would be appreciated.

Don Mallory · ‎02-20-2007

Hi there,

I'm running the 1.3.5.03 client on HP-UX 11.11, however I doubt there will be much difference.

Lets start with the krb5.conf:

[libdefaults]
default_realm = MYDOMAIN.CA
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_type = 2
checksum_type = 1

[realms]
MYDOMAIN.CA = {
kdc = 192.168.123.8:88
kdc = 192.168.123.44:88
admin_server = 192.168.123.8:749
kpasswd_server = 192.168.123.8:464
}

[domain_realm]
.mydomain.ca = MYDOMAIN.CA

[logging]
kdc = FILE:/var/adm/syslog/krb5kdc.log
admin_server = FILE:/var/adm/syslog/kadmin.log
default = FILE:/var/adm/syslog/krb5lib.log

[appdefaults]
telnet = {
forward = true
forwardable = false
autologin = true
fallback = true
}

rlogin = {
forward = true
forwardable = false
fallback = true
}

remsh = {
forward = true
forwardable = false
fallback = true
}

kinit = {
forward = false
forwardable = true
proxiable = true
tkt_lifetime = 10h
renew_lifetime = 5d
}

ftp = {
fallback = true
}

You need to set encryption types when connecting to an AD. It's only capable of DES-CBC-CRC.

I used static IPs for the KDC, admin server and passwd server because of the timeouts in the Kerberos protocol. In a failover situation, you will find it to pause for 10 seconds for every failed requested. Logins will take minutes. Using static IPs reduces the dependancy on DNS.

In the domain_realm, you need it to be your actual domain name with a preceeding . to equal your Kerberos realm.

I also included app defaults. You can change if you like, but these are allowing for the fallback and fowarding features.

On to the pam.conf:

# Authentication management
#
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth required /usr/lib/security/libpam_updbe.1
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth required /usr/lib/security/libpam_updbe.1
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth required /usr/lib/security/libpam_updbe.1
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth required /usr/lib/security/libpam_updbe.1
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
rcomds auth required /usr/lib/security/libpam_updbe.1
rcomds auth sufficient /usr/lib/security/libpam_krb5.1
rcomds auth required /usr/lib/security/libpam_unix.1 try_first_pass
sshd auth required /usr/lib/security/libpam_updbe.1
sshd auth sufficient /usr/lib/security/libpam_krb5.1
sshd auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1

I've included updbe.1 What this does it skip kerberos authentication for users listed in the pam_user.conf file, like this:

root auth /usr/lib/security/libpam_krb5.1 ignore

Lastly, I'm going to point you to a document...

Kerberos Doc reference:

A Basic Step-by-Step Summary of Kerberos v.51 Setup on HPUX DocId: PAMKKBAN00000983 Updated: 20050127

A copy is also in this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163

This document is one of the best resources I've ever used wrt Kerberos. It's very direct and to the point.

Good luck.

Don

Vince Laurent · ‎06-18-2014

"Lastly, I'm going to point you to a document...

Kerberos Doc reference:

A Basic Step-by-Step Summary of Kerberos v.51 Setup on HPUX DocId: PAMKKBAN00000983 Updated: 20050127

A copy is also in this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163

This document is one of the best resources I've ever used wrt Kerberos. It's very direct and to the point."

Do you know where I can find this doc?

Dennis Handly · ‎06-19-2014

>Do you know where I can find this doc?

Well searching HP-UX > HP-UX Technical Documentation finds:
http://h30499.www3.hp.com/t5/HP-UX-Technical-Documentation/Request-for-Feedback-on-Kerberos-Server-v3-1/m-p/3284618

But all the docs at docs.hp.com have been moved.

mr google finds: Kerberos Server Version 3.1 Administrator’s Guide HP-UX 11i v2 Edition 5

http://h20566.www2.hp.com/portal/site/hpsc/template.BINARYPORTLET/public/kb/docDisplay/resource.process/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.rid_ba847bafb2a2d782fcbb0710b053ce01=docDisplayResURL&javax.portlet.rst_ba847bafb2a2d782fcbb0710b053ce01=wsrp-resourceState%3DdocId%253Demr_na-c02037286-1%257CdocLocale%253D&javax.p...

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Kerberos Login Issues

Kerberos Login Issues