Hi, I suspect your telnet and ftp client is trying to obtain a service ticket for a principal called host/[EMAIL PROTECTED] so try using :
# ftp afs-test.myrealm.com Instead of : # ftp localhost Thanks, Tim. -----Original Message----- From: Mehta, Rohit [mailto:[EMAIL PROTECTED] Sent: 27 October 2003 14:38 To: [EMAIL PROTECTED] Subject: having difficulty setting up a linux client with Win2k KDC Hi guys, I am fairly new to kerberos and I would like to set up Linux clients to use a Win2k KDC. We have an active directory, and I have a Debian (Woody) system with the following packages installed: afs-test:/home/ro# dpkg -l |grep krb5 ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master server (kadmind) ii krb5-clients 1.2.4-5woody4 Secure replacements for ftp, telnet and rsh ii krb5-config 1.4 Configuration files for Kerberos Version 5 ii krb5-doc 1.2.4-5woody4 Documentation for krb5 ii krb5-ftpd 1.2.4-5woody4 Secure FTP server supporting MIT Kerberos ii krb5-kdc 1.2.4-5woody4 Mit Kerberos key server (KDC) ii krb5-rsh-serve 1.2.4-5woody4 Secure replacements for rshd and rlogind us ii krb5-telnetd 1.2.4-5woody4 Secure telnet server supporting MIT Kerberos ii krb5-user 1.2.4-5woody4 Basic programs to authenticate using MIT Ker ii libkrb5-dev 1.2.4-5woody4 Headers and development libraries for MIT Ke ii libkrb53 1.2.4-5woody4 MIT Kerberos runtime libraries ii libpam-krb5 1.0-7 PAM module for MIT Kerberos ii openafs-krb5 1.3-8 The AFS distributed filesystem- Kerberos 5 I ii ssh-krb5 3.4p1-0woody4 Secure rlogin/rsh/rcp replacement (OpenSSH w kinit and kpasswd actually work, but telnet and ftp do not. This is what my krb5.conf looks like: [libdefaults] default_realm = MYREALM.COM default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-crc [realms] MYREALM.COM = { kdc = myactivedirectorycontroller.myrealm.com admin_server = myactivedirectorycontroller.myrealm.com } [domain_realm] myrealm.com = MYREALM.COM I created a keytab for afstest.myrealm.com on the DC and installed it on this client in /etc/krb5.keytab. it looks something like this: afs-test:/home/ro# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/[EMAIL PROTECTED] So hopefully I did all of that stuff correctly, back to the problem. When I do kinit [EMAIL PROTECTED] and authenticate successfully, it works. However after that, if I do telnet localhost or ftp localhost, I cannot authenticate. This can be seen: telnet 1 --------- afs-test:/home/ro# telnet localhost Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. telnetd: No authentication provided. Connection closed by foreign host. telnet try2 ------------ afs-test:/home/ro# telnet -xF localhost Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. Waiting for encryption to be negotiated... Authentication negotation has failed, which is required for encryption. Good bye. ftp try 1 --------- afs-test:/home/ro# ftp localhost Connected to localhost. 220 afs-test.myrealm.com FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: Server not found in Kerberos database GSSAPI error: initializing context GSSAPI authentication failed 334 Using authentication type KERBEROS_V4; ADAT must follow KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Name (localhost:ro): Please let me know if you would like more information. I would be very grateful for any assistance at all in this matter. Thanks, Rohit Kumar Mehta ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
