Mike Haney wrote:
I've been searching the internet for about a week now and trying to set up a FreeBSD r4.9 server to authenticate against W2K AD (SP4), but can't quite get it going. I'm hoping someone can shed some light on the topic for me as I think I am missing a few small details...
I've followed the document on Microsoft's website (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp) and a few other websites, and have done the following:
1) Compiled pam_krb5 for heimdal from the ports collection (this gave me some troubles with the krb5.18 dependancy, changed to krb5.19 and it went ok). 2) Set an /etc/pam.conf to use kerberos first with sshd logins: "sshd auth sufficient pam_krb5.so try_first_pass" 3) Set up my /etc/krb5.conf as follows: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = SPONGEBOB.SP default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false [realms] SPONGEBOB.SP = { kdc = haney-srv.spongebob.sp admin_server = haney-srv.spongebob.sp default_domain = spongebob.sp } [domain_realm] .spongebob.sp = SPONGEBOB.SP [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
4) Manually synchronized the clocks on the FreeBSD & W2k machines 5) Created a new account in AD for testing Kerberos logins (all defaults, simple password). 6) Successfully tested the new account and krb5.conf configuration by running kinit /klist/kdestroy (saw new ticket created and destroyed with klist). 7) Installed the W2k support tools to get the ksetup & kpass utilities. 8) Used ktpass to generate a keytab for the FreeBSD machine, using this syntax: Ktpass -princ [EMAIL PROTECTED] -mapuser testkrb -pass password -out myserver.keytab ** myserver is the hostname of my FreeBSD machine, testkrb is the AD username 9) Transferred the myserver.keytab to the FreeBSD machine, and placed it in /etc/krb5.keytab 10) Modified /etc/auth.conf so that auth_list has kerberos listed first (then passwd)
Whenever I try to log in using SSH (remotely or from the FreeBSD machine directly) the login prompt comes up with "Password for [EMAIL PROTECTED]", but will not accept the kerberos password. I have also tried creating a local user account in FreeBSD with a different password, and can log in using that with no troubles.
I have checked entries in /etc/auth.log and found: Nov 6 12:53:41 myserver sshd[51684]: (pam_krb5) pam_sm_authenticate: result for user `testkrb': Please ignore underlying account module Nov 6 12:53:41 myserver sshd[51680]: error: PAM: Authentication failure
With kerberos logging enabled in the W2k server (by registry key indicated in Q262177), I see nothing logged, not even when using kinit/klist/kdestroy, is that normal?
Any help/tips are appreciated, thanks in advance!
Mike
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
