David A Flores wrote:
Help anyone, We are using a Windows domain controller as a KDC and we are trying to authenticate a Solaris 9.0 OS box using Kerberos. The following is the command we use to create the keytab file:
ktpass -princ host/[EMAIL PROTECTED] -mapuser dean19 -pass * -out c:\dean19.keytab
You may need to specify -kvno but see below. You may also need the +DesOnly.
It could also be a des-cbc-crc vs des-cbc-md5 (W2k will use ctc, W2003 will use md5)
Once we create the keytab file we send it to the sever via ssh. Attached are the pam.conf file and the krb5.conf that we configured. One the computer called dean19 we ran the ktutil
rkt /etc/krb5/dean.keytab wkt /etc/krb5/krb5.keytab
After the rkt and the wkt commands we do a list and it shows a "slot KVNO Principal"
We then validate the server's ability to communicate with the MS Kerberos Domain Controller by requesting a Ticket Granting Ticket using kinit.
We then use klist to verify that a TGT has been issued.
But when we try to login to the box we get the following error.
Dec 7 16:27:38 dean19 login: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
We tried it on 2 solaris machines and we are getting the same error. Does
anyone know why this might be happening?
If you have the MIT kvno command try it to see what the AD has for a kvno:
kvno host/[EMAIL PROTECTED]
Also try the klist -k -t -K /etc/krb5/krb5.keytab (MIT or SEAM) to see what the keytab has and what enctypes it has. (Don't send this as it exposes the key.)
Another way to do this at least with the MIT code is to use the ktutil addent, that will let you add an entry with the kvno, enctype and key or key via a password. So you dont transfer the output of the ktpass. (If you do this with the password, you ned to add the salt. If you want to try this I will send the instructions.)
David Flores Medical School Information Technology System Analyst II 713-500-5211
------------------------------------------------------------------------
# #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth sufficient pam_krb5.so.1 try_first_pass login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass
------------------------------------------------------------------------
[libdefaults] default_realm = UTHSCH.EDU default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms] UTHSCH.EDU = { kdc = msdc1.uthsch.edu admin_server = msdc1.uthsch.edu }
[domain_realm] .uthsch.edu = UTHSCH.EDU uthsch.edu = UTHSCH.EDU
[logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log
[appdefaults] gkadmin = { help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195 }
------------------------------------------------------------------------
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
