Hi Doug, still on win2000 I can authenticate and get tgt ticket with kinit I can get service ticket with kinit -S pamkrbval returns all PASSED nsquery search against ldap returns values in AD (I still seem to need a dummy entry in /etc/passwd for kerberos to create credential cache)?? Well, don't know what else to do
Thanks "Doug Lamoureux" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Ryan, > Are you running Windows 2003? I've just run into a problem with Win2k3 > encrypting the client tickets with rc4-hmac: > > # kinit -S host/myhost.acme.com dougl > Password for [EMAIL PROTECTED]: > # klist -e > Ticket cache: /tmp/krb5cc_0 > Default principal: host/[EMAIL PROTECTED] > Valid starting Expires Service principal > 01/22/04 09:54:57 01/22/04 19:54:57 host/[EMAIL PROTECTED] > Etype (skey, tkt): DES cbc mode with CRC-32, etype 23 > > etype 23 is RC4-HMAC > > (ethereal trace shows rc4-hmac) > > I've seen a number of suggestions to set the "Use DES encryption" flag on the > users account and reset the password, but that has not resolved the problem. > > Checkout your syslog.log file for potential errors. You don't have to setup > cross-realm authentication for ldap-ux/kerberos to work with AD on hp-ux (you > will if you want to have multi-domain support). Make sure you can see the user > defined in AD: > > # pwget -n dougl > dougl:*:10001:20::/home/dougl:/usr/bin/ksh > # /usr/contrib/bin/nsquery passwd dougl ldap > > Using "ldap" for the passwd policy. > > Searching ldap for dougl > User name: dougl > User Id: 10001 > Group Id: 20 > Gecos: > Home Directory: /home/dougl > Shell: /usr/bin/ksh > > Switch configuration: Terminates Search > > Then make sure you can use kinit to authenticate: > > # kinit dougl > Password for [EMAIL PROTECTED]: > > You can also validate the Kerberos client configuration using pamkrbval: > > # /usr/sbin/pamkrbval > > Validating the pam configuration files > ---------- --- --- ------------- ----- > > Validating the /etc/pam.conf file > [PASS] : The validation of config file: /etc/pam.conf passed > > [NOTICE] : The validation of config file: /etc/pam_user.conf is not done > as libpam_updbe library is not configured > > Validating the kerberos config file > ---------- --- -------- ------ ----- > [PASS] : Initialization of kerberos passed > > Connecting to default Realm > ---------- -- ------- ----- > [PASS] : Default Realm is issuing tickets > > Validating the keytab entry for the host service principal > ---------- --- ------ ----- --- --- ---- ------- --------- > /usr/sbin/pamkrbval: Program lacks support for encryption type for this entry > [FAIL] : The keytab validation Failed > > Cheers, > Doug > > > Ryan Odgers wrote: > > > (I apologize if this has already been posted, I am new to this list) > > > > Hi, > > > > What is the trick to getting services to work via kerberos? > > > > I have been playing around with trying to use kerberos as a SSO for our > > environment, but am a bit confused. > > > > To date: > > I have installed and configured MS SFU 3.5 (services for Unix) on our AD, > > extended the schema. > > I have an HP-UX 11.11 machine in which I have setup the LDAP client to talk > > to the AD via kerberos. I can successfully search the AD and can login with > > windows credentials via a keytab created for the host. > > > > The telnet service in HP-UX is kerberos aware, but after creating a service > > instance and keytab file for the telnet service in AD, and importing into > > the unix keytab file, I cannot telnet into unix via kerberos. I have > > followed Microsoft's doc on inter-operability, but cannot get the services > > side of kerberos to work. > > > > If the KDC is win2000 and the kerberos client is UNIX or MIT, does > > cross-realm authentication still need to be set up? > > It is the same kerberos realm, the unix machine points to the 2000 KDC as > > its server. > > > > Any help is VERY appreciated > > Ryan > > > > > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
