Sam Evans wrote:
All:
I seem to have run into a road block getting my Linux machines to authenticate against AD when coming in through OpenSSH.
First, let me start off my listing what my environmnet is:
Test Client:
* RHEL Linux
* MIT Kerboros v1.4
* OpenSSH v3.9p1 - Compiled using the following line:
./configure --with-tcp-wrappers --with-pam --with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr --sysconfdir=/etc/ssh
Active Directory: * Windows 2003
Scenario 1:
If I use my local account and password, I can get into the machine OK. I know that OpenSSH is functioning properly. At this point, if I do a 'kinit' I can successfully authenticate myself against AD and obtain my Keberos5 ticket.
Scenario 2:
If I change my account information to require that authentication take place using Kerberos, then I get the following error from the ssh daemon:
debug1: Kerberos password authentication failed: ASN.1 encoding ended unexpectedly
Do you have any more of the sshd trace?
-- What I have been able to determine at this point is that if I remove my userid from the multitude of groups that it belongs to in AD, then I *can* successfully authenticate myself when I come in through OpenSSH, using Kerberos.
-- If I place myself back into the same groups, I cannot authenticate myself and get the above error.
Sounds like a big ticket problem. We have seen problems with AFS (which has been reported and fixed in the CVS) when the ticket is big.
I have not seen this, and just did a test with my 2003 AD user which is in too many groups. It worked fine with OpenSSH-3.9p1 with MIT krb5-1.4 running on Solaris. But maybe my test user is not in enough groups to cause this problem.
In doing some reading, it appears as if I need to force TCP usage in the MIT Kerberos, which I have done. Everything still works when I do 'kinit' but nothing has changed in regards to OpenSSH authentication ability.
Anyone have any thoughts or suggestions?
The OpenSSH may be finding an older krb5 shared library, that has problems. Does it also have PAM? Is the pam_krb5 loading an old Kerberos?
Does "ldd sshd" show that all new krb5 libs are being used?
If you run Ethereal, how big is the bad ticket vs the good ticket.
Thanks, Sam P ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
