- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Kerberos Login Issues
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2007 07:29 AM
тАО02-19-2007 07:29 AM
Kerberos Login Issues
Here is a copy of /etc/krb5.conf
[logging]
default = FILE:/var/adm/krb5lib.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log
[libdefaults]
ticket_liftetime = 24000
default_realm = AD.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AD.COMPANY.COM = {
kdc = DC01.AD.COMPANY.COM
admin_server = DC01.AD.COMPANY.COM
}
[domain_realm]
ad.company.com = AD.COMPANY.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
This is pam.conf, just the authenication section:
login auth sufficient /usr/lib/security/libpam_krb5.1 debug
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
Here is what's in syslog:
Feb 19 13:42:38 redoak login: [Cannot find KDC for requested realm] Unable to verify Kerberos V5 TGT: [redoak.company.com]
Feb 19 13:42:38 redoak login: Kerberos V5 TGT bad: Cannot find KDC for requested realm
Feb 19 13:42:38 redoak login: while verifying tgt[Unknown code ____ 255]
Feb 19 13:42:38 redoak login: [Authentication failed] Password not valid
Any help would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2007 12:57 AM
тАО02-20-2007 12:57 AM
Re: Kerberos Login Issues
I'm running the 1.3.5.03 client on HP-UX 11.11, however I doubt there will be much difference.
Lets start with the krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.CA
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_type = 2
checksum_type = 1
[realms]
MYDOMAIN.CA = {
kdc = 192.168.123.8:88
kdc = 192.168.123.44:88
admin_server = 192.168.123.8:749
kpasswd_server = 192.168.123.8:464
}
[domain_realm]
.mydomain.ca = MYDOMAIN.CA
[logging]
kdc = FILE:/var/adm/syslog/krb5kdc.log
admin_server = FILE:/var/adm/syslog/kadmin.log
default = FILE:/var/adm/syslog/krb5lib.log
[appdefaults]
telnet = {
forward = true
forwardable = false
autologin = true
fallback = true
}
rlogin = {
forward = true
forwardable = false
fallback = true
}
remsh = {
forward = true
forwardable = false
fallback = true
}
kinit = {
forward = false
forwardable = true
proxiable = true
tkt_lifetime = 10h
renew_lifetime = 5d
}
ftp = {
fallback = true
}
You need to set encryption types when connecting to an AD. It's only capable of DES-CBC-CRC.
I used static IPs for the KDC, admin server and passwd server because of the timeouts in the Kerberos protocol. In a failover situation, you will find it to pause for 10 seconds for every failed requested. Logins will take minutes. Using static IPs reduces the dependancy on DNS.
In the domain_realm, you need it to be your actual domain name with a preceeding . to equal your Kerberos realm.
I also included app defaults. You can change if you like, but these are allowing for the fallback and fowarding features.
On to the pam.conf:
# Authentication management
#
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth required /usr/lib/security/libpam_updbe.1
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth required /usr/lib/security/libpam_updbe.1
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth required /usr/lib/security/libpam_updbe.1
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth required /usr/lib/security/libpam_updbe.1
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
rcomds auth required /usr/lib/security/libpam_updbe.1
rcomds auth sufficient /usr/lib/security/libpam_krb5.1
rcomds auth required /usr/lib/security/libpam_unix.1 try_first_pass
sshd auth required /usr/lib/security/libpam_updbe.1
sshd auth sufficient /usr/lib/security/libpam_krb5.1
sshd auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
I've included updbe.1 What this does it skip kerberos authentication for users listed in the pam_user.conf file, like this:
root auth /usr/lib/security/libpam_krb5.1 ignore
Lastly, I'm going to point you to a document...
Kerberos Doc reference:
A Basic Step-by-Step Summary of Kerberos v.51 Setup on HPUX DocId: PAMKKBAN00000983 Updated: 20050127
A copy is also in this thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163
This document is one of the best resources I've ever used wrt Kerberos. It's very direct and to the point.
Good luck.
Don
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-18-2014 09:06 AM
тАО06-18-2014 09:06 AM
Re: Kerberos Login Issues
"Lastly, I'm going to point you to a document...
Kerberos Doc reference:
A Basic Step-by-Step Summary of Kerberos v.51 Setup on HPUX DocId: PAMKKBAN00000983 Updated: 20050127
A copy is also in this thread:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163
This document is one of the best resources I've ever used wrt Kerberos. It's very direct and to the point."
Do you know where I can find this doc?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2014 12:07 AM
тАО06-19-2014 12:07 AM
Re: Kerberos Login Issues
>Do you know where I can find this doc?
Well searching HP-UX > HP-UX Technical Documentation finds:
http://h30499.www3.hp.com/t5/HP-UX-Technical-Documentation/Request-for-Feedback-on-Kerberos-Server-v3-1/m-p/3284618
But all the docs at docs.hp.com have been moved.
mr google finds: Kerberos Server Version 3.1 AdministratorтАЩs Guide HP-UX 11i v2 Edition 5