HPE Community
Operating System - HP-UX
1833782 Members
2107 Online
110063 Solutions
New Discussion

Re: Kerberos 11i , LDAP client, W2K AD , trusted system, kerberized telnet

 
SOLVED
Go to solution
Ryan_11
Advisor

‎02-04-2004 02:21 AM

‎02-04-2004 02:21 AM

Kerberos 11i , LDAP client, W2K AD , trusted system, kerberized telnet

I am busy changing my HP-UX system to authenticate via a W2K AD machine. I have installed Services for Unix 3.5 on the AD, configured LDAP client on UX, as well as PAM kerberos.

I can successfully authenticate on my UX box using creentials stored in the AD domain if I use interactive input.

If I switch on secure services with inetsvcs_sec enable, then I cannot use kerberos authentication.

Using windows version of MIT Kermit, with kerberos support,
it complains about the key size being incorrect. When listing the tickets I notice that the krbtgt ticket from AD is using DES-CBC-MD5 encrytption but that the host/machine@REALM principal fetches a DES-CBC-CRC ticket.
***********************************************
[C:\Documents and Settings\test.UNIVERSE\] K-95> auth k5 list /e
Ticket cache: API:krb5cc
Default principal: test@UNIVERSE.CO.ZA

Valid starting Expires Service principal
01/30/04 09:03:19 01/30/04 19:03:19 krbtgt/UNIVERSE.CO.ZA@UNIVERSE.CO.ZA
Etype (skey, tkt): DES-CBC-MD5, DES-CBC-MD5
01/30/04 09:04:48 01/30/04 19:03:19 host/hpnew.universe.co.za@UNIVERSE.CO.ZA
Etype (skey, tkt): DES-CBC-CRC, DES-CBC-CRC
***********************************************


I have tried forcing the encryption in the krb5.conf file to MD5 but no luck. Also using ktpass on windows when mapping the host principal I have tried both the CRC and MD5 options, but it still seems to default to CRC.
Does the HP 11i version of Kerberos support any other type of authentication other rhan DES-CBC-CRC? Or is there a way to force windows encryption to another type, such as DES-CBC-CRC? Is their a later version of Kerberos for 11i that supports this encryption?

Another problem I have is that I have to untrust the system for this to work, it will not authenticate if the sytem is in trusted mode.

I have googled, searched, and still am stuck.
I would really appreciate any help
0 Kudos
Reply
3 REPLIES 3
Kurt Renner
Frequent Advisor

‎02-05-2004 01:05 AM

‎02-05-2004 01:05 AM

Solution

Re: Kerberos 11i , LDAP client, W2K AD , trusted system, kerberized telnet

Ryan,
I was successful in getting Kerberos up and running in our test environment. I am ready to go production, but other business requirements has put it off for the near future.
The best recommendation I can give you is to make sure you are up to date on all Kerberos-specific patches for both HP-UX and W2K. I know we had to go to service pack 4 on W2K to make much progress. The latest I've heard on required HP-UX patches is as follows (may be updates since I received this list, so check ITRC):

PHSS_28940 KRB5-Client V 1.0
PHSS_26872 libsis Site-specific patch to read the appsdefaults section of /etc/krb5.conf (may not be required for your site. We were integrating with SAP)
PHNE_24829 1.0 telnet kernel, telnetd(1M), telnet(1) patch
PHNE_27765 1.0 ftpd(1M) patch
PHNE_27777 1.0 r-commands cumulative mega-patch

I worked with Don Isler at HP. He was very good, and provided me with the attached document.

We have our test systems trusted, and working, so I know what you are trying to accomplish is possible. A "klist -e" yields the following encryption type:

"Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5" for the kerberos ticket obtained.

Good luck

Do it right the first time and you will be ahead in the long run.
Reply
Ryan_11
Advisor

‎02-05-2004 03:11 AM

‎02-05-2004 03:11 AM

Re: Kerberos 11i , LDAP client, W2K AD , trusted system, kerberized telnet

Hi Kurt,

Thanks for the reply, I am almost certain the patches will solve my problem, as you have described all my current symptoms.

I get the key size error in kerberos authentication as well.

Unfortunately or (fortunately for me) I will be on leave for the next couple of weeks so I will not be able to try this until I get back.

But I am positive it should work.
Thanks for your response.

I will provide feedback to the forums on this thread to let anyone else know if works.

I cant seem to find PHSS_26872 in the patch DB?
0 Kudos
Reply
Kurt Renner
Frequent Advisor

‎02-05-2004 03:58 AM

‎02-05-2004 03:58 AM

Re: Kerberos 11i , LDAP client, W2K AD , trusted system, kerberized telnet

PHSS_26872 is a patch that (apparently) is still not released to the general public. Attached is a document describing the fixes for the patch. If you find that you need the patch when you get around to testing, please contact HP so you are on their list of people to update when they finally do release the patch.
Do it right the first time and you will be ahead in the long run.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.