Try using: telnet -xF afs-test and:
ftp -x afs-test I assume you have Kerberized telnetd and ftpd properly configured in the /etc/inetd.conf, /etc/xinetd.d or whatever mechanism Debian uses to manage daemon services. I suggest you configure the daemons to only allow access via an encrypted session. ------------------- >content-class: urn:content-classes:message >MIME-Version: 1.0 >X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 >Date: Mon, 27 Oct 2003 09:38:16 -0500 >Thread-Topic: having difficulty setting up a linux client with Win2k KDC >Thread-Index: AcOcl/VnLasikkuTRqafvbCrpdrq8g== >From: "Mehta, Rohit" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Content-Transfer-Encoding: 8bit >X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id h9REcTqb008455 >Subject: having difficulty setting up a linux client with Win2k KDC >X-BeenThere: [EMAIL PROTECTED] >X-Mailman-Version: 2.1 >List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:[EMAIL PROTECTED]> >List-Archive: <http://mailman.mit.edu/pipermail/kerberos> >List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:[EMAIL PROTECTED]> >X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on frigga.ctd.anl.gov >X-Spam-Status: No, hits=0.0 required=5.7 tests=none autolearn=no version=2.60 > > >Hi guys, I am fairly new to kerberos and I would like to set up Linux clients >to use a Win2k KDC. We have an active directory, and I have a Debian (Woody) >system with the following packages installed: > >afs-test:/home/ro# dpkg -l |grep krb5 >ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master server (kadmind) >ii krb5-clients 1.2.4-5woody4 Secure replacements for ftp, telnet and rsh >ii krb5-config 1.4 Configuration files for Kerberos Version 5 >ii krb5-doc 1.2.4-5woody4 Documentation for krb5 >ii krb5-ftpd 1.2.4-5woody4 Secure FTP server supporting MIT Kerberos >ii krb5-kdc 1.2.4-5woody4 Mit Kerberos key server (KDC) >ii krb5-rsh-serve 1.2.4-5woody4 Secure replacements for rshd and rlogind us >ii krb5-telnetd 1.2.4-5woody4 Secure telnet server supporting MIT Kerberos >ii krb5-user 1.2.4-5woody4 Basic programs to authenticate using MIT Ker >ii libkrb5-dev 1.2.4-5woody4 Headers and development libraries for MIT Ke >ii libkrb53 1.2.4-5woody4 MIT Kerberos runtime libraries >ii libpam-krb5 1.0-7 PAM module for MIT Kerberos >ii openafs-krb5 1.3-8 The AFS distributed filesystem- Kerberos 5 I >ii ssh-krb5 3.4p1-0woody4 Secure rlogin/rsh/rcp replacement (OpenSSH w > > > >kinit and kpasswd actually work, but telnet and ftp do not. >This is what my krb5.conf looks like: > >[libdefaults] > default_realm = MYREALM.COM > > default_tgs_enctypes = des-cbc-md5 > default_tkt_enctypes = des-cbc-md5 > permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-crc > >[realms] >MYREALM.COM = { > kdc = myactivedirectorycontroller.myrealm.com > admin_server = myactivedirectorycontroller.myrealm.com >} > >[domain_realm] > myrealm.com = MYREALM.COM > > > > >I created a keytab for afstest.myrealm.com on the DC and installed it on this client in /etc/krb5.keytab. it looks something like this: > >afs-test:/home/ro# klist -k >Keytab name: FILE:/etc/krb5.keytab >KVNO Principal >---- -------------------------------------------------------------------------- > 1 host/[EMAIL PROTECTED] > > > > >So hopefully I did all of that stuff correctly, back to the problem. When I do kinit [EMAIL PROTECTED] and authenticate successfully, it works. >However after that, if I do telnet localhost or ftp localhost, I cannot authenticate. This can be seen: > >telnet 1 >--------- >afs-test:/home/ro# telnet localhost >Trying 127.0.0.1... >Connected to localhost (127.0.0.1). >Escape character is '^]'. >telnetd: No authentication provided. >Connection closed by foreign host. > >telnet try2 >------------ >afs-test:/home/ro# telnet -xF localhost >Trying 127.0.0.1... >Connected to localhost (127.0.0.1). >Escape character is '^]'. >Waiting for encryption to be negotiated... > >Authentication negotation has failed, which is required for >encryption. Good bye. > >ftp try 1 >--------- >afs-test:/home/ro# ftp localhost >Connected to localhost. >220 afs-test.myrealm.com FTP server (Version 5.60) ready. >334 Using authentication type GSSAPI; ADAT must follow >GSSAPI accepted as authentication type >GSSAPI error major: Miscellaneous failure >GSSAPI error minor: Server not found in Kerberos database >GSSAPI error: initializing context >GSSAPI authentication failed >334 Using authentication type KERBEROS_V4; ADAT must follow >KERBEROS_V4 accepted as authentication type >Kerberos V4 krb_mk_req failed: You have no tickets cached >Name (localhost:ro): > > > >Please let me know if you would like more information. I would be very grateful for any assistance at all in this matter. > >Thanks, > >Rohit Kumar Mehta > >________________________________________________ >Kerberos mailing list [EMAIL PROTECTED] >https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
