Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Danny Petterson - DK · ‎02-08-2010

Hi Gurus!

We authenticate unix-users against AD, using Kerberos/PAM/ldapux/sshd - and it usualy works fine.

But right now we have a strange problem with one machine, giving us these errors in syslog when we try to login:

Feb 8 14:42:08 SERVER sshd[8114]: [Key table entry not found] Unable to verify host ticket
Feb 8 14:42:08 SERVER sshd[8114]: [Key table entry not found] can't verify v5 ticket: ; keytab found, assuming failure
Feb 8 14:42:08 SERVER sshd[8114]: while verifying tgt[Unknown code ____ 255]
Feb 8 14:42:08 SERVER sshd[8114]: [Authentication failed] Password not valid
Feb 8 14:42:10 SERVER sshd[8114]: error: PAM: No account present for user for myuser.in.AD

Kerberos from the prompt (using kdestroy, kinit, klist) works fine, pamkrbval works, pwget for users in the ldap-directory works, etc....I have NO idea what the problem is, as it usually works.

Thanks in advance
Danny

Danny Petterson - DK · ‎02-09-2010

Hm - maybe I was to hasty, so the post above lacks a lot of information:

This is the software installed on the host:

kinit -kt /etc/krb5.keytab host/backup9F@VELUX.ORG

...works fine, indicating that the keytab-file is ok.

Software installed:
LDAPUX B.04.20 LDAP-UX Integration
PAMKerberos D.01.26 PAM-Kerberos Version 1.26
ixPAMmkdir A.10.00-1.0.002 Home Directory Creation
PHSS_40655 1.0 KRB5-Client Version 1.3.5.03 Cumulative patch
SecureShell A.05.10.026 HP-UX Secure Shell

sshd_config is configured for using PAM and kerberos.

Sorry for the missing information - hope somebody have an idea about what to look for.

Thanks in advance
Danny

RC Park · ‎02-09-2010

Until someone comes along that knows more, I'll take a stab :)

1. Did I understand correctly that you have several systems running the same configuration, but only one giving you trouble? If so please review what changes happened to the server within the last 7 days prior to the problem starting.

2. Whether or not you can identify any changes, you need to begin the debugging process, which anyone with any long-term support experience will tell you is the same regardless of platform. It's a process of elimination. Start with verifying the various stages of the process. Keep ruling out things that are associated with functioning portions of this until you're left looking at that which doesn't funciton. Break down larger processes into their component steps and make sure you understand every one and that it's all working, for somewhere along the line, you'll find your problem.
3. Comparison - not knowing 'ldapux', I can't be specific, but review any configs, files, directories associated with this product and compare them to working versions on the servers without issues.

I could go on, but this is a start...

-RCP

Sameer_Nirmal · ‎02-09-2010

Not sure what do you mean by saying "it usually works".

Maybe the access to the system is in the form of FQHN?

I would check if kvno values and encryption types matches besides host credentials.

Danny Petterson - DK · ‎02-11-2010

Hi Guys!

I finally got it to work - it was ALL me apparently, sorry guys :-( - it looks like a letter in the principal-name was uppercase in the keytab, but for some reason not on the KDC. This make the unknown error 255 apparently. Anyway, another thing that puzzles me, is that while testing, I tried to remove the keytab-file entirely - which make login using AD-accounts work. I didn't know that was possible? It just told me, as the keytab file was missing, it was assuming success.

But bottomline - thanks for the help guys, you rule.

Yours
Danny

Chandrahasa s · ‎03-14-2010

Hi Danny,

We looking for same solution what u have now to authoricate unix system in ad
Can you provide detail procedure to do this

Chandra

Danny Petterson - DK · ‎03-15-2010

Hi!

Well - thank god HP has made a excellent document since I implemented the solution, describing in detail what you should do:

http://docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Good luck :-)

Greetings
Danny

Danny Petterson - DK · ‎03-15-2010

Closed

Chandrahasa s · ‎03-28-2010

Hi,
Can you pls conform hpux ldap is free or need to purchase??

Chandra

Danny Petterson - DK · ‎03-28-2010

Its for free:

https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA

Chandrahasa s · ‎04-01-2010

Hi,

Its one more question to you--we want use ads only for storing user and group attributes and to centralised athorizing users for unix servers.For this is it necessary to configure cifs and kerbrose auth for this??.

Chandra....

Danny Petterson - DK · ‎04-02-2010

Kerberos yes, CIFS no

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Problem with Kerbereox/ldapux/sshd vs. Active Directory

Problem with Kerbereox/ldapux/sshd vs. Active Directory