HPE Community
Operating System - HP-UX
1821594 Members
3422 Online
109633 Solutions
New Discussion юеВ

MIT Kerberos and hpux 11i

 
David Hawes-Johnson_1
New Member

тАО01-10-2005 01:07 AM

тАО01-10-2005 01:07 AM

MIT Kerberos and hpux 11i

Hi,

I'm trying to get my HP server to authenticate to my Kerberos Server (another 11i machine running MIT 1.3.6 kerberos), but I'm having problems.

The kerberos server is setup and can issue tickets via kinit, but when I try and use pam_krb5 I always get the same error messages. I've tried removing all but the basic encryption type (single DES), to no avail. Also, the keytab file seems fine, as ktutil can read it in.

Any ideas where I might be going worng..

Jan 10 08:46:04 tarkin login: username [hawesjd] obtained
Jan 10 08:46:06 tarkin login: Clearing the krbflag in pamh
Jan 10 08:46:06 tarkin login: [Bad encryption type] Unable to verify host ticket
Jan 10 08:46:06 tarkin login: [Bad encryption type] can't verify v5 ticket: ; keytab found, assuming failure
Jan 10 08:46:06 tarkin login: while verifying tgt[Unknown code ____ 255]
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО01-10-2005 01:13 AM

тАО01-10-2005 01:13 AM

Re: MIT Kerberos and hpux 11i

Could the MIT Kerebos box be expecting a v4 ticket?

Maybe take a look at the configuration on that box.

Also the problem might be showing up in syslog.log on the server box. That might be helpful.

swverify \* on the client would be useful, checking for corrupt software.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
David Hawes-Johnson_1
New Member

тАО01-10-2005 01:38 AM

тАО01-10-2005 01:38 AM

Re: MIT Kerberos and hpux 11i

The MIT Kerberos server is a version 5 server which I built not so long ago. It isn't configured to use version 4.

The systems log on the server don't show any problems - it quite happily issues tickets:

Jan 10 14:35:29 hippo krb5kdc[3728](info): AS_REQ (1 etypes {1}) 10.0.0.1: ISSUE: authtime 1105367729, etypes {rep=1 tkt=1 ses=1}, hawesjd@EXAMPLECOM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Jan 10 14:35:29 hippo krb5kdc[3728](info): TGS_REQ (1 etypes {1}) 10.0.0.1: ISSUE: authtime 1105367729, etypes {rep=1 tkt=1 ses=1}, hawesjd@EXAMPLE.COM for host/tarkin@EXMAPLE.COM

I can log is as normal (say as root) and issue a "kinit hawesjd" and get issued a ticket, but pam_krb5 doesn't seem to want to play


0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-10-2005 01:47 AM

тАО01-10-2005 01:47 AM

Re: MIT Kerberos and hpux 11i

I now officially declare this a fishing expedition. On my part.

things to check:

/etc/services

make sure the "reservations" are correct.

Any intervening firewalls.

Networking configuration: Is the /etc/rc.config.d/netconf file compatible with the server? Do ping, ssh and other services work without error. One little networking problem can cause a world of hurt.

The swverify showed no problems?

Try using the client to authenticate on a different Kerebos box, say a Windows one, if available.

I'm now relatively convinced that this is a client configuration error.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
David Hawes-Johnson_1
New Member

тАО01-10-2005 02:21 AM

тАО01-10-2005 02:21 AM

Re: MIT Kerberos and hpux 11i

Bizarre - I've tried a few things and have managed to get it to work now, but unfortunately as I've been charging through all the possible combinations I'm not actually sure what I've changed!!

I believe that it was either a keytab problem or an /etc/passwd problem. The one change I did make was to specify -randkey when creating the service principles rather than type in a password.

Thanks for your help
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.