f



Problem in get ticket from Kerberos

Hello

I have problem for get tickets from kerberos in my Centos 5.2, when I type
this command /usr/local/kerberos/bin/kinit admin@LABCOM.UNASP
Show this message

kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP
while getting initial credentials

I don=B4t understand why this message !!! My DNS is work , I can resolve th=
e
domain (LABCOM.UNASP)

 nslookup  labcom.unasp
Server:         192.168.4.66
Address:        192.168.4.66#53

Name:   labcom.unasp
Address: 192.168.4.2


My DNS server is on Windows 2003 Server , this command kinit was tested fro=
m
the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow =
I
paste kr5b.conf

[libdefaults]
    # determines your default realm name
    default_realm =3D LABCOM.UNASP
    default_tgs_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5
    default_tkt_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5
    kdc_timesync =3D 1
    ccache_type =3D 4
    forwardable =3D true
    proxiable =3D true

[realms]
    LABCOM.UNASP =3D {
        # specifies where the servers are and on
        # which ports they listen (88 and 749 are
        # the standard ports)
        kdc =3D kdc.AmbLivre:88
        admin_server =3D kdc.AmbLivre:749
        default_domain =3D labcom.unasp
  }

[domain_realm]
    # maps your DNS domain name to your Kerberos
    # realm name
    .labcom.unasp  =3D LABCOM.UNASP
    labcom. =3D LABCOM.UNASP
[kdc]
    profile =3D /var/kerberos/krb5kdc/kdc.conf
[logging]
    # determines where each service should write its
    # logging info
    kdc =3D SYSLOG:INFO:DAEMON
    admin_server =3D SYSLOG:INFO:DAEMON
    default =3D SYSLOG:INFO:DAEMON


and kdc.conf

[kdcdefaults]
 v4_mode =3D nopreauth
 kdc_tcp_ports =3D 750,88

[realms]
 LABCOM.UNASP =3D {
  database_name =3D /var/kerberos/krb5kdc/principal
  key_stash_file =3D /var/kerberos/krb5kdc/.k5.LABCOM.UNASP
  master_key_type =3D des3-hmac-sha1
  acl_file =3D /var/kerberos/krb5kdc/kadm5.acl
  dict_file =3D /usr/share/dict/words
  admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:a
fs3
  kdc_ports =3D 750,88
  max_file =3D 10h 0m 0s
  max_renewable_life =3D 7d 0h 0m 0s
}

I try resolv but I can=B4t  resolve this problem , somebody can helpme get
ticket from keberos !!!

Thanks

--=20
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx
0
aspenbr (1)
8/11/2009 9:32:28 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
908 Views

Similar Articles

[PageSpeed] 38

Hi Bruno,

Looks like Kerberos can't figure out which server(s) to contact. You can 
resolve the domain, but according to krb5.conf you use kdc.AmbLivre as 
your KDC.

You have to make sure Kerberos can find the IP address of kdc.AmbLivre, 
either by specifying it in /etc/hosts (which means it's still available 
should DNS fail) or make sure it can be found through DNS.

See 
http://www.gnu.org/software/shishi/manual/html_node/Configuring-DNS-for-KDC.html
for some more info on what you could (should?) put into DNS.

Kind regards,

Hans


Bruno Steven wrote:
> Hello
> 
> I have problem for get tickets from kerberos in my Centos 5.2, when I type
> this command /usr/local/kerberos/bin/kinit admin@LABCOM.UNASP
> Show this message
> 
> kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP
> while getting initial credentials
> 
> I don�t understand why this message !!! My DNS is work , I can resolve the
> domain (LABCOM.UNASP)
> 
>  nslookup  labcom.unasp
> Server:         192.168.4.66
> Address:        192.168.4.66#53
> 
> Name:   labcom.unasp
> Address: 192.168.4.2
> 
> 
> My DNS server is on Windows 2003 Server , this command kinit was tested from
> the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow I
> paste kr5b.conf
> 
> [libdefaults]
>     # determines your default realm name
>     default_realm = LABCOM.UNASP
>     default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>     permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
> 
> [realms]
>     LABCOM.UNASP = {
>         # specifies where the servers are and on
>         # which ports they listen (88 and 749 are
>         # the standard ports)
>         kdc = kdc.AmbLivre:88
>         admin_server = kdc.AmbLivre:749
>         default_domain = labcom.unasp
>   }
> 
> [domain_realm]
>     # maps your DNS domain name to your Kerberos
>     # realm name
>     .labcom.unasp  = LABCOM.UNASP
>     labcom. = LABCOM.UNASP
> [kdc]
>     profile = /var/kerberos/krb5kdc/kdc.conf
> [logging]
>     # determines where each service should write its
>     # logging info
>     kdc = SYSLOG:INFO:DAEMON
>     admin_server = SYSLOG:INFO:DAEMON
>     default = SYSLOG:INFO:DAEMON
> 
> 
> and kdc.conf
> 
> [kdcdefaults]
>  v4_mode = nopreauth
>  kdc_tcp_ports = 750,88
> 
> [realms]
>  LABCOM.UNASP = {
>   database_name = /var/kerberos/krb5kdc/principal
>   key_stash_file = /var/kerberos/krb5kdc/.k5.LABCOM.UNASP
>   master_key_type = des3-hmac-sha1
>   acl_file = /var/kerberos/krb5kdc/kadm5.acl
>   dict_file = /usr/share/dict/words
>   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
> des-cbc-crc:a
> fs3
>   kdc_ports = 750,88
>   max_file = 10h 0m 0s
>   max_renewable_life = 7d 0h 0m 0s
> }
> 
> I try resolv but I can�t  resolve this problem , somebody can helpme get
> ticket from keberos !!!
> 
> Thanks
> 
0
hans40 (16)
8/11/2009 9:50:33 AM
Reply:

Similar Artilces:

problems with kerberos ticketing
hello i'v an ftp-server(filezilla) and an client (filezilla) the server running windows 2003 server (not in a domain) the client running windows xp pro SP2 (in a domain) i'v installed kerberos(the actually version from the mit.edu site) on the client it seems it generates the tickets by himself. because i can import some tickets (username@domain). but on the server i'v only the "Get Ticket" and this funtion dont work. i become the error 156. the MIT-support say something about an principal....but who's this? i think it's enought, when giving the gnu.org server and i become the tickets from there? or must i set up my own kerberos-master-server(kdc?)? can anyone help me? or had anyone any idea how i can kerberize my ftp con? thank for help! Kerberos is a trusted third party authentication system. This means that there must be a third party in common which both the client (end user) and the server (ftp server) trust. I suggest you start by reading some of the tutorials about the Kerberos protocol so you will understand how it works: http://web.mit.edu/kerberos/papers.html Then you can go about establishing or finding a realm which is willing to trust your FTP Service and that hosts it along with all of your expected clients. Jeffrey Altman Gevogled wrote: > hello > > i'v an ftp-server(filezilla) and an client (filezilla) > the server running windows 2003 server (not in a domain) > the client running windows x...

Problem with kerberos
I have a Linux (Ubuntu) box joined to a Windows domain (I believe the domain controllers are server 2003) so I can use Kerberos authentication. Initially everything is working fine - I can ssh into the box using gssapiauthentication. =20 After some number of days, this stops working however. I would find that I could re-generate the keytab and the problem would go away for a while and eventually come back. The most recent time I noticed that it stopped working on a Monday morning - implying perhaps that something changed over a weekend. =20 I build the Kerberos libraries with optimization turned off so I could step through, and what became clear was that the KVNO for the machine account had changed - in AD the number was now 30, but the keytab had a KVNO of 24. So it wasn't just one bump - there were several (the keys were generated on 09/25/10). =20 At this point, I don't know *why* the kvno is changing. Right now I have a script running that polls the KVNO every 5 minutes so I can see exactly when the thing changes - once I have a time, I can start looking at logs (both on the Linux box and perhaps even on the domain controller). For that matter, I could probably shut down the Linux box for a few weeks to see whether the KVNO bumps happen without the machine being up or not. =20 Does anyone have anything else to suggest for what I should be looking for? =20 -Eric =20 =20 ...

Kerberos, Windows2008 RODC and ticket forwarding Problem
Hello I'm having some problems to get kerberos to work. I got two realms, one rea= lm working in Windows 2008 (WINDOWS), with one KDC and RODC (the RODC is i= n a separate network). I am testing the ticketing forwarding cross realm. T= he second realm is a linux realm (LINUX) running on scientific linux 6.1. A= ll the Linux machines are using the same kerberos libraries : krb5-libs-1.9.2-6.fc16.x86_64 krb5-libs-1.9.2-6.fc16.i686 krb5-workstation-1.9.2-6.fc16.x86_64 So in from my fedora desktop computer I kinit with a WINDOWS realm user, an= d from there I ssh to my server. The SSH server principal is created in LIN= UX realm. This works smoothly. I also have a NFS 4 server kerberized, and declared in the LINUX realm. So = from the SSH server (NFS client), I mount the folder and try to access, get= ting a permission denied message. I've captured the traffic from my SSH ser= ver (NFS Client), in the moment of accessing the NFS folder. I've noticed = the following error: KRB_AP_ERR_BAD_INTEGRITY Also I noticed that the Name-Type inside the request packet is Unknown. After some browsing in the internet, it seems that W2008 RODC needs the Nam= e-Type to be set, and in fact this has been patched in kerberos. What is mo= re if I dont do ticket forwarding , so I kinit the user from the SSH server= (NFS Client), and access the folder it works! Could it be that the current implementation of Kerberos is not setting the = Name-Type for forwarded tickets? Regards ...

Problem with Kerberos
Hi, This is Krishna. I am using Kerberos for authentication purpose in my application. I am facing a problem when I add a new user id. The problem is that the Kerberos Admin Server is returning me "FAILED addding '460280.rdba' (Database read error)." This strangely occurs when I try to add a user with the ID:460280 (in HEX Format) i.e. 4588160 (in Decimal Format). This is causing a serious issue in my production system. Can anyone help me out with this as this is a service impacting issue in my System. Any help is appreciated. Thanks in advance, Krishna ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos > Message-ID: <d12280ca0605200012m5d3d7cf2ib1ec9b10b9b28a3b@mail.gmail.com> > Date: Sat, 20 May 2006 07:12:22 +0000 > From: "Krishna Venigalla" <krishna.venigalla@gmail.com> > To: kerberos@mit.edu > Subject: Problem with Kerberos > > Hi, > This is Krishna. I am using Kerberos for authentication purpose in my > application. I am facing a problem when I add a new user id. > > The problem is that the Kerberos Admin Server is returning me "FAILED > addding '460280.rdba' (Database read error)." This strangely occurs when I > try to add a user with the ID:460280 (in HEX Format) i.e. 4588160 (in > Decimal Format). This is causing a serious issue in my production system. > >...

Server not found in Kerberos database while getting a service url ticket
hello, I have added to my kerberos database the following principal: "http://localhost:8080/axis/services/test" . (It' s in a url format instead of being in the format: service/host@REALM.) So, the thing is that I would like to acquire a service ticket for that principal. To request a service ticket I am using gss api and follow the next steps: class KrbClient{ main(){ ..... //I have acquired the credentials from the ticket cache .... PrincipalName serviceName = new PrincipalName("http://localhost:8080/axis/services/test"); // create the tgs_req to ask for service tickets sun.security.krb5.KrbTgsReq tgs_req = new sun.security.krb5.KrbTgsReq(credentials, serviceName); tgs_req.send(); // get tgs_rep KrbTgsRep tgs_rep = tgs_req.getReply(); } } and it gets the folllowing error: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235) at KrbClient.requestServiceTicket(KrbClient.java:142) at KrbClient.main(KrbClient.java:39) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50) ... 3 more >From the debugging of gss api: >>>KRBError: sTime is Mon ...

Having some kerberos problem
I am getting some errors related with kerberos such that after su to some KRB5LDAP users I am creating files and then setting acls to that files but the files are creating with "nobody nobody" in the user and group field instead of creating with actual user and group name.And then I am trying to set acls using aclput command and it is failing with the following errors aclput:operation not permitted. NOTE: I am executing testcase through the client machine which is having kerberos client and LDAP client setup.And also it is a NFS client. More details ========== The domain and realm are same on both server and client .Here is the reference On Server ========= realm4.austin.ibm.com nfsdom4.austin.ibm.com On Client ======== realm4.austin.ibm.com nfsdom04.austin.ibm.com Earlier It was realm4.austin.ibm.com nfsdom3.austin.ibm.com.later I changed the domain to nfsdom4 (for debugging) stopped the nfsrgyd daemon and started it again.Then tried su to user created files got the same "nobody nobody" in the user and group field. On client t I mounted filesystem with the following options mount -o sec=krb5,acl,vers=4 serverf:/nfstest/nfs_usr_grp /mnt === NFSv4 Server = LDAP server , kerberos server with LDAP as back-end ,LDAP client and kerberos client with LDAP as back-end , NFS server as well. Client = LDAP client ,kerberos client with LDAP as back-end and NFS client as well. Pls suggest on this .Thanks in advance. Thanks & Regards, Viswan...

kerberos problem
Greetings, I've installed Kerberos on my Windows XP laptop. Each time I open it, the program seizes and I have to force quit to exit. Any ideas on what might be going on? Ari ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Ari Shapiro wrote: > Greetings, > > I've installed Kerberos on my Windows XP laptop. Each time I open it, > the program seizes and I have to force quit to exit. Any ideas on what > might be going on? > > Ari Yes, you've provided absolutely no information whatsoever about what you mean. What exactly did you install? What exactly did you open? What exactly were the commands you used open exactly which program? Danny ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On 2006-08-21 22:17:46 +0200, ashapiro@whoi.edu (Ari Shapiro) said: > Greetings, > > I've installed Kerberos on my Windows XP laptop. Each time I open it, > the program seizes and I have to force quit to exit. Any ideas on what > might be going on? What version of Kerberos for Windows? Have you tried the 2.x series which is known to work fine (with leash)? -- Sensei <senseiwa@mac.com> The optimist thinks this is the best of all possible worlds. The pessimist fears it is true. [J. Robert Oppenheimer] Ari Shapiro...

RE: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem
Looking into the captures, I noticed that in the TGS-REQ packets , the NAME-TYPE is Unknown in both cases (Forwareded and not Forwarded Ticket). But in the forwarded ticket capture I don't see any AS-REQ. Could it be that what is causing the: KRB5KRB_AP_ERR_BAD_INTEGRITY ? ________________________________________ From: Sebastian Galiano Sent: 13 April 2012 08:58 To: kerberos@mit.edu Subject: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem I found more information regarding my problem : http://lists.samba.org/archive/samba-technical/2010-September/073566.html The thing is that this problem has been patched and It works. In fact I found the code in krb5lib's current version source code that makes the trick, in the file get_in_tkt.c: /* * Windows Server 2008 R2 RODC insists on TGS principal names having the * right name type. */ if (krb5_princ_size(context, *server) == 2 && data_eq_string(*krb5_princ_component(context, *server, 0), KRB5_TGS_NAME)) { krb5_princ_type(context, *server) = KRB5_NT_SRV_INST; } return 0; } This sets the right type for NAME-TYPE, unfortunately it doesn't seem to work when I'm using a forwarded ticket. The name type in the request when the ticket is forwarded keeps being unknown, unlike when the ticket is granted from the machine then is : Service and Instance. ________________________________________ From: kerberos-bounces@mit.edu [kerbe...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Kerberos problem!
Hi list members! I'm trying to configure a kerberos server, I read the documentation and followed the instructions, but something is wrong I think. I have two debian sarge linux nodes on intranet (10.0.0.0/24) with hostnames ha1.aitia and ha2.aitia. Teh kdc and the krb-admin server is the ha1.aitia. The krb5.conf looks like: [libdefaults] default_realm = INTRA.NET kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 defau...

Getting Kerberos ticket to extract user credentials in my site for login
Hi, I am new to Kerberos and just want to know that how can I get the user credentials from Kerberos service ticket in my application for login purpose. I want to implement Kerberos in such a way that my Active Directory user does not need to login to the my site and user just sends the request from browser and my site takes the Kerberos service ticket from the user in HTTP header and logs in the user automatically by getting the credentials from the Kerberos ticket and user accesses the site. Please do tell me that it can be done or not, if possible then how can I do it. Thanks in advance. ---- Regards Muhammad Usman, Bachelors of Information Technology, NUST School of Electrical Engineering and Computer Science. Mobile: +92-300-8391967 ...

Problems with Kerberos
Hello, I have a problem. I will make a Single Sign On from a Debian-Client to a CentOs-Server over SSH. A connection from a Debian-Client to a Debian-Server is okay. But from Debian to CentOs it`s not okay. Is that possible? Greetings Daniel Geue from Germany ...

Kerberos 4 Ticket Granting Ticket
I have installed zephyr, which uses kerberos 4 rather than 5. My installation of the debian packaged, MIT kerberos distribution is working without problem. I enabled full kerberos 4 support. Following instructions, I added the principle zephyr/wum.lat@LAT to my kerberos database, then extracted it to a kerberos 4 srvtab. "kinit -4" succeeds, with the following line in "auth.log": Dec 23 22:34:10 wum krb5kdc[6886]: PROCESS_V4:Initial ticket request Host: 192.168.179.73 User: "john" "" "klist" lists the following kerberos 4 ticket: Kerbe...

Can't Get Kerberos & ssh to forward authentication / tickets (ssh without entering password)
Hi All - this is really bugging me - I can't get this to work. I have everything working - ssh, pam, ldap, etc., but ssh always asks me for a password, even when I have a valid kerberos ticket (I can login fine if I entry my kerberos password). I've searched and searched for the answer, but haven't found anything that helps me :(. We have this working at another site with openssh 3.6p1, but 4.2p1 doesn't like me. Has anybody accomplished this with a newer version of openssh (one that no longer supports the "KerberosTgtForward yes" option)? This is the most glaring error I see when I debug the ssh connections: [ID 800047 auth.debug] debug1: Miscellaneous failure\nNo principal in keytab matches desired name My config is as follows: Solaris OpenLDAP server Windows 2003 Domain controller (kerberos KDC) Solairs 9 clients openssh 4.2p1 [root@uxprdadm01 root]# klist ================================ Ticket cache: /tmp/krb5cc_0 Default principal: stever@WIN.DOMAIN Valid starting Expires Service principal Fri Oct 14 13:47:01 2005 Fri Oct 14 23:47:01 2005 krbtgt/WIN.DOMAIN@WIN.DOMAIN renew until Fri Oct 21 13:47:01 2005 Fri Oct 14 13:47:17 2005 Fri Oct 14 23:47:01 2005 host/uxprdde01.F.Q.D.N.com@WIN.DOMAIN renew until Fri Oct 21 13:47:01 2005 ================================ krb5.keytab: ================================ bash-2.05# klist -k krb5.keytab Keytab name: FILE:krb5.keytab KVNO Principal ---- -----------...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

SSH Problem with Kerberos
Hi there, I'm really new to all this Kerberos thing, so in the next sentences you may find some true luser talk. Pleas forgive me :) I'm trying to configure an MVME6100 machine running RHLE 4 to work in an AFS environment with Kerberos authentication. Especially SSH access to the machine with an existing AFS account. So... I installed MIT Kerberos 1.4 on the new machine and tried to connect to it with SSH. But it only works with local accounts, not with my AFS account. When trying to kinit on the new machine, the program is complaining about some missing file: klist: No ticket file: /tmp/krb5cc_0 On the other hand I don't think I've done the whole configuration files stuff right - especially the ones krb5.keytab and krb-srvtab. I've tried to copy (steal actually :) ) these files from other working machines on the company's network, but after all krb5.keytab and krb-srvtab are only root-readable, and I don;t have sufficient access rigths to do it. So my question is - how it is the authentication / configuration of a new machine on the network done, using Kerberos and enabling SSH access to it with the AFS tokens already obtained. I have googled the net for a week or so but haven't found any good explanation and documentation obout it. Only some sample files that worth nothing to me... Once again sorry for the lame questions but I really need this done and I'm already desperate enogh to think that I woun't make it at the end. Any help i...

Kerberos and windows problem ...
same as a lot of people on the forums i too am having a prooblem with windows taking tickets from a linux kdc ... i have configured everything properly (at least i think so) but windows still does'nt login ... here is my senario .. ksetup : Machine Realm: XYZ.COM External Kerberos Realm: XYZ.COM Mapping windows@XYZ.COM to guest Mapping * to a local account with the same name Mapping host/windows.xyz.com@XYZ.COM to guest Mapping tom@XYZ.COM to tom my user is tom .. i have added a principal tom@XYZ.COM to my kdc ... i have created a useraccount named tom on the windows machine ... when i try 2 login it just does'nt .. gives a error like password might be wrong .. caplock on ..etc ... if i do kinit tom from the cmd prompt i get an error saying that it cannot find any kerberosv4 kdc .. but i still get kv5 tickets for tom ... this is teh event log generated by windows during login failure ... Logon Failure: Reason: An unexpected error occurred during logon User Name: tom Domain: XYZ.COM Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: WINDOWS any help will be appretiated .. thanks ... Have you created a host principal for the machine in the KDB? Have you set the Kerberos Password on the machine using KSETUP? Are there errors reported in the KDC log? Are there errors reported in the Windows Event Log? Jeffrey Altman daylebo wrote: > same as a lot of people on the forums i too am having a proob...

problems with kerberos authentication
Hi, I'm trying to get the squid helper squid_kerb_auth to work against our Active Directory (win 2003 r2). I'm using squid 3.0.STABLE14 Squid Cache: Version 3.0.STABLE14 configure options: '--build=x86_64-mandriva-linux-gnu' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--sharedstatedir=/usr/c...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

problem with nfs4 with kerberos
Hey guys... I use RHEL4 linux version.. I configure my nfs server for work with kerberos as in this web site.. http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html after that when i try to run command "mount -t nfs4 -o sec=krb5 192.168.5.66:/media/ /mnt/" it this give this message.. "mount: can't get address for main.mnetplus.lk" whats is the reason for that.. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On 4/26/06, Aruna Lakmal <arunaucsc@gmail.com> wrote: > Hey guys... > I use RHEL4 linux version.. > I configure my nfs server for work with kerberos as in this web site.. > > http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html > > after that when i try to run command "mount -t nfs4 -o sec=krb5 > 192.168.5.66:/media/ /mnt/" > it this give this message.. "mount: can't get address for main.mnetplus.lk" > > whats is the reason for that.. I'm assuming the reverse DNS lookup of 192.168.5.66 resolves to the name main.mnetplus.lk, but a forward lookup of that name apparently fails. The Kerberos code will assume that the principal for the NFS server is "nfs/main.mnetplus.lk@<REALM>". What is the name of the principal that you created and added a keytab entry for? This discussion may be more appropriate on the nfs4 mailing list: nfsv4@linux-nfs.org ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Problem with kerberos and gssapi
Hello =20 I have the following problem =20 I have a new server. that must connect passwordless with an windows AS (to replace an old server) =20 With the new client on the new server , the password of the account is = always asked=20 =20 I don't understand why !! =20 The kinit and klist is ok =20 The only difference with the old client side is on the log of ssh (with = -vvv) =20 With the new client debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Received SSH2_MSG_IGNORE debug1: Delegating credentials debug3: Received SSH2_MSG_IGNORE debug1: Authentications that can continue: debug3: start over, passed a different list gssapi-with-mic,publickey,keyboard-interactive,password =20 with the old client debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). debug1: channel 0: new [client-session] =20 =20 It seems that the ssh client receive debug3: Received SSH2_MSG_IGNORE = and it is the problem that block the authentification So, it used method password instead=20 =20 =20 Version of openssh : 5.2p1 Freebsd OS =20 =20 Anybody have idea ? =20 -- Roux Olivier ...

Web resources about - Problem in get ticket from Kerberos - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 1:42:17 PM