HPE Community
Operating System - HP-UX
1819805 Members
3269 Online
109607 Solutions
New Discussion

PAM-Kerberos setup: cannot find KDC for requested realm while getting initial credentials

 
Patrick_VDV
Occasional Visitor

‎11-02-2016 01:06 AM

‎11-02-2016 01:06 AM

PAM-Kerberos setup: cannot find KDC for requested realm while getting initial credentials

We are trying to setup AD authentication to W2008 and W2012 DC/KDCs with following software:

 

  • PAM-Kerberos D.01.26 PAM-Kerberos Version 1.26
  • krb5client E.1.6.2.10 Kerberos V5 Client Version 1.6.2.10
  • HPUX11i-VSE-OE B.11.31.1303 HP-UX Virtual Server Operating Environment

 

And following specs:

  • HP-UX Client name: B04-VSP6
  • DC/KDCs: mut0138wi.mgt.adms/nrbnrw0251.mgt.adms/mut0137wi.mgt.adms/nrbnrw0252.mgt.adms
  • KRB REALM: MGT.ADMS
  • DNS domain; nrb.be
  • user logon: a0p99999

 

We have configured:

  • the UPN in AD & created keytab file
  • ldapux (w/ proxy user). ldapcinfo checks pass and ldapsearch with personal credentials works too (bind==OK)
  • /etc/krb5.conf & /etc/krb5.keytab
  • /etc/pam.conf & /etc/nsswitch.conf for LDAP auth
  • /etc/opt/ssh/sshd_config for KRB auth

 

However when requesting a kerberos ticket we get:

  1. kinit -v -kt /etc/krb5.keytab : kinit(v5): Cannot find KDC for requested realm while getting initial credentials
  2. kinit -v -kt /etc/krb5.keytab host/B04-VSP6@MGT.ADMS : works
  3. kinit -v -kt /etc/krb5.keytab a0p99999 : works

 

pamkrbval shows:

 

root@B04-VSP6:/tmp # pamkrbval -v -a ia64

Validating the pam configuration files
 ---------- --- --- ------------- -----
Validating the /etc/pam.conf file

[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf

[PASS] : The validation of config file: /etc/pam.conf passed
[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
 as libpam_updbe library is not configured


Validating the kerberos config file
 ---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed


Connecting to default Realm
 ---------- -- ------- -----

[LOG] : The default realm is : MGT.ADMS
[LOG] : KDC hosts for realm MGT.ADMS :nrbnrw0251.MGT.ADMS
[LOG] : Trying to contact KDC for realm MGT.ADMS...
[LOG] : Realm MGT.ADMS is answering ticket requests
[PASS] : Default Realm is issuing tickets


Validating the keytab entry for the host service principal
 ---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host B04-VSP6, aka B04-VSP6.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
[LOG] : Key table entry not found while getting the keytab entry from /etc/krb5.keytab
[LOG] : Checking whether host service principal is present on the KDC
[LOG] : Pinging KDC to verify whether host/b04-vsp6@ exists
[WARNING] : host/b04-vsp6@ found on KDC but not found in keytab file
[WARNING] : The keytab validation had warnings


Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

 

 

When attempting a SSH/Telnet logon, PAM debug shows:

 

Oct 28 09:59:24 B04-VSP6 sshd[17351]: pam_authenticate: error Authentication failed

Oct 28 09:59:24 B04-VSP6 sshd[17351]: PAM_LDAP auth-bind got HP_LDAP_NOTFOUND

 

Network traces doing the different the kinit/pamkrbval shows that:

  • pamkrbval: hostname (FQHN) is not passed to the KDC in the packets
  • kinit -v -kt /etc/krb5.keytab host/B04-VSP6@MGT.ADMS : hostname (FQHN) is correctly passed to the KDC in the packets

 

the /etc/krb5.conf looks like:

 

[libdefaults]
 default_realm = MGT.ADMS
 default_tgs_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5
 default_tkt_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5
 dns_lookup_kdc = false
 dns_lookup_realm = false
 ccache_type = 2
 rdns = false

[realms]
 MGT.ADMS = {
 kdc = nrbnrw0251.MGT.ADMS:88
 kdc = nrbnrw0252.MGT.ADMS:88
 kdc = mut0137wi.MGT.ADMS:88
 kdc = mut0138wi.MGT.ADMS:88
 kpasswd_server = nrbnrw0251.MGT.ADMS:464
 admin_server = nrbnrw0251.MGT.ADMS:749
 }

[domain_realm]
 .nrb.be = MGT.ADMS

[logging]
 kdc = FILE:/var/adm/krb5kdc.log
 admin_server = FILE:/var/adm/kadmin.log
 default = FILE:/var/adm/krb5lib.log

the /etc/krb5.keytab:

# klist -tk /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  15 01/01/70 01:00:00 host/B04-VSP6@MGT.ADMS

 

Any help is much appreciated because we have been running around in circles for days. 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.