there are many difficulties and YES there is the documentation
on FreeBSD handbook but it does not helped me so much I Still ahve
difficulties.
I isntalled MIT krb5 also and I Am using kadmin from MIT
to manage krb5 server.
First problem
kadmin: ktadd -k /etc/krb5.keytab host/host.domain
kadmin: Unsupported key table format version number while adding key to
keytab
I can't undertand this message i touched /etc/krb5.keytab
but via kadmin it is unable to export the krb5 key I added before
with
addprinc -randkey host/host.domain
i also chmod 777 krb5.keytab nothing to do
at the end I exported it from the kdc and copied it by hand in
/etc/krb5.keytab on my client FreeBSD box, but I do not know
if in this way it will work.
anyway now I have another problem.
I am not able to configure ssh to login via kerberos.
I tryed everything
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
Then I changed /etc/pam.d/sshd
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
and ssh won't authenticate via kerberos:
Mar 7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from
131.x.y.z
Mar 7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error
for illegal user myself from mylapdop.domain
I must miss something I do not know what...
Actually I do not think this scenario on BSD users is commonly used,
and I Cannot find documentation to help myself, anyway I need this
scenario that was implemented on Linux before.
I do not want to use Linux anyway for this porpouse (bastion SSH
box for public login via krb5/ldap)
At the end anyway the scenario needs to be krb5 for authentication
and LDAP for authorization
For now I am not able to authenticate via krb5
any hints ?
thanks
Rick
On Tue, 6 Mar 2007, Tillman Hodgson wrote:
On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote:
for example I would like to installa MIT krb5 implementation from ports
instead of using heidmal default this because the kerberos server
on my network is a MIT server and I can't use kadmin on FreeBSD
to administrer the kerberos server remotely using heidmal implementation.
Anyone has experience of MIT krb5 implementation on FreeBSD ?
The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html
In section 14.8.6 it notes that the kadmin protocol differs between
Kerberos implementations -- you have to use the MIT kadmin to administer
a remote MIT KDC.
Other than the kadmin bits (which are fairly different between the two
but isn't used by end-users anyway), it's pretty much transparent to a
Kerberos-enabled workstation which implementation it's using. I
typically install both (to different paths to avoid file conflicts)
because I like using the newest Heimdal rather than the one in base and
also because the included client applications differ. For example, MIT
has Kerberos rsh whereas the base Heimdal doesn't for some of the
platforms that I use.
If you run into any specific issues when setting it up, please post back
to the list and cc me and I'll give you a hand.
-T
--
"I once bought a cellphone that had a little sticker on the box that said
'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the
office."
- A.S.R. quote (Andreas "Buzh" Skau)
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
