Ralf Hildebrandt wrote:
> I'm at my wits' end. > > I'm trying to use a Win2k ADS/Kerberos Infrastructure with Debian > GNU/Linux clients. > Did you add the host account to AD? Did you run the MS ktpass to set the service principal in the account, set the password on the acocunt, and generate a kettab file? Did you copy the keytab file back to the Unix system? See http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx > What I can do on the host: > > ----------- snip ---------- > # kinit -V hildeb > Password for [EMAIL PROTECTED]: > Authenticated to Kerberos v5 > > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service principal > 02/01/06 12:58:23 02/01/06 22:58:25 krbtgt/[EMAIL PROTECTED] > renew until 02/02/06 12:58:23 > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > ----------- snip ---------- > > I can also use the kerberized telnetd (/usr/bin/telnet.krb5 from the > krb5-clients package) and log into that host successfully (with the > username & password that the win2k provides). This should have had the same error, but there are options to turn off the verify in this case, but turnning it off does open a security hole. > > What I can't do: I'm trying to use > libpam-krb5 1.2.0-1PAM module for MIT Kerberos > > as PAM modules for OpenVPN: > > > ----------- snip ---------- > # PAM configuration for OpenVPN > auth sufficient pam_krb5.so debug ignore_root > account required pam_krb5.so debug ignore_root > ----------- snip ---------- > > any login attempt from openvpn results in: > > Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: > pam_sm_authenticate: entry > Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: openvpn-krb5 > Jan 31 20:54:05 vpn-gw-int openvpn[3005]: pam_krb5: verify_krb_v5_tgt(): > krb5_kt_read_service_key(): Key table entry not found This implies it can not find the keytab file entry for the host. > Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): hildeb: > pam_sm_authenticate: exit (success) > Jan 31 20:54:05 vpn-gw-int openvpn[3005]: (pam_krb5): none: pam_sm_acct_mgmt: > entry > > and openvpn crashes afterwards... That is some other problem... > > Questions: > ========== > > What does "verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry > not found" mean? > I probably need to get rid of that error in order to get things flying. > See above. > My /etc/krb5.conf is attached. > > > > ------------------------------------------------------------------------ > > [libdefaults] > default_realm = CHARITE.DE > # das ist wirklich der Domainenname. Witzigerweise scheinen andere > Institutionen immer > # DNS-Domaine == Win2k-Domaine zu machen. Bei uns ist das anders :( > # GROSSSCHREIBUNG ist wichtig!! > > clockskew = 300 > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > # dns_lookup_kdc = true > > [realms] > CHARITE.DE = { > # kdc = DC-CHARITE-1.CHARITE.DE > # kdc = dc-charite-2.charite.de > # kdc = dc-charite-3.charite.de > kdc = dc-charite-4.charite.de > default_domain = CHARITE.DE > kpasswd_server = DC-CHARITE-1.CHARITE.DE > } > > [domain_realm] > .charite.de = CHARITE.DE > > [logging] > default = FILE:/var/log/krb5lib.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > retain_after_close = false > minimum_uid = 0 > debug = true > } > > > > > ------------------------------------------------------------------------ > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
