From what I'm seeing; this is more likely tied to the configuration requirements for setting up a host to support authentication for ssh via kerberos. Showing your krb5.conf would help (I suggest replacing internal hostnames and realms when sharing this kind of info).
Most likely the settings for resolving the KDC through DNS are set ( dns_lookup_realm = true, dns_lookup_kdc = true ) for the reason why you do not need a realm entry in your krb5.conf. This discussion explains what needs to be in place for you to be able to setup client authentication for SSH on ubuntu.. https://help.ubuntu.com/community/SingleSignOn#Client_Configuration Most specifically; Did you create the host principal in the KDC for the new host you are trying to access? On Thu, Jun 16, 2016 at 7:09 AM, Giuseppe Mazza <g.ma...@imperial.ac.uk> wrote: > (I apologize for my long email) > > I am going to try to provide some feedback: > # > # my (not) working scenario... > # > 1] Linux kerberos server: > Ubuntu 14.04.4 LTS \n \l > ii krb5-kdc 1.12+dfsg-2ub amd64 MIT Kerberos key > server (KDC) > > 2.a] Ubuntu 16.04 linux client, called futurama.doc.ic.ac.uk: > ii krb5-user 1.13.2+dfsg-5 amd64 Basic programs to > authenticate using MIT K > > > 2.b] Ubuntu 14.04 linux client, called bee.doc.ic.ac.uk: > ii krb5-user 1.12+dfsg-2ub amd64 Basic programs to > authenticate using MIT > > 3] same /etc/krb5.conf on both clients, i.e. no hardcoded hostnames of > my dc's. > > 4] I will be using my two accounts, gma...@ic.ac.uk (user in the Windows > DC) and gmaz...@doc.ic.ac.uk (user in kerberos realm). > > The things I will describe work for bee.doc.ic.ac.uk, but not > for futurama.doc.ic.ac.uk. In particular I have noticed the things below: > > - it works: > gmazza2@futurama:~$ ssh gmazza2@futurama > > - it does not work: > gmazza2@futurama:~$ ssh gmazza@futurama > gmazza@futurama's password: > Permission denied, please try again. > gmazza@futurama's password: > > - it works: > gmazza2@futurama:~$ export KRB5_TRACE=/dev/stdout > gmazza2@futurama:~$ kinit gma...@ic.ac.uk > [325] 1466081998.890390: Getting initial credentials for gma...@ic.ac.uk > [325] 1466081998.890912: Sending request (169 bytes) to IC.AC.UK > [325] 1466081998.894103: Resolving hostname icads43.ic.ac.uk. > [325] 1466081998.896228: Sending initial UDP request to dgram > 129.31.100.150:88 > [325] 1466081998.899013: Received answer (174 bytes) from dgram > 129.31.100.150:88 > [325] 1466081998.900138: Response was not from master KDC > [325] 1466081998.900216: Received error from KDC: -1765328359/Additional > pre-authentication required > [325] 1466081998.900281: Processing preauth types: 16, 15, 19, 2 > [325] 1466081998.900308: Selected etype info: etype aes256-cts, salt > "IC.AC.UKgmazza", params "" > Password for gma...@ic.ac.uk: debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > debug3: Received SSH2_MSG_IGNORE > > [325] 1466082004.103603: AS key obtained for encrypted timestamp: > aes256-cts/1F56 > [325] 1466082004.103637: Encrypted timestamp (for 1466082003.328534): > plain 301AA011180F32303136303631363133303030335AA1050203050356, > encrypted > > C915E62DB9E0CE17F45BA2FDABB44DEF69EF02DAE0ADF1138204A1D114B27FF0AE505BB410C1FCB00E0F31BFE6939ED3E7B2C68B9C52FDA4 > [325] 1466082004.103654: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [325] 1466082004.103657: Produced preauth for next request: 2 > [325] 1466082004.103668: Sending request (247 bytes) to IC.AC.UK > [325] 1466082004.106120: Resolving hostname icads39.ic.ac.uk. > [325] 1466082004.106383: Sending initial UDP request to dgram > 155.198.63.21:88 > [325] 1466082004.110203: Received answer (88 bytes) from dgram > 155.198.63.21:88 > [325] 1466082004.111234: Response was not from master KDC > [325] 1466082004.111262: Received error from KDC: -1765328332/Response > too big for UDP, retry with TCP > [325] 1466082004.111268: Request or response is too big for UDP; > retrying with TCP > [325] 1466082004.111281: Sending request (247 bytes) to IC.AC.UK (tcp > only) > [325] 1466082004.112344: Resolving hostname icads44.ic.ac.uk. > [325] 1466082004.113626: Initiating TCP connection to stream > 129.31.47.2:88 > [325] 1466082004.114123: Sending TCP request to stream 129.31.47.2:88 > [325] 1466082004.117400: Received answer (2689 bytes) from stream > 129.31.47.2:88 > [325] 1466082004.117416: Terminating TCP connection to stream > 129.31.47.2:88 > [325] 1466082004.118434: Response was not from master KDC > [325] 1466082004.118467: Processing preauth types: 19 > [325] 1466082004.118475: Selected etype info: etype aes256-cts, salt > "IC.AC.UKgmazza", params "" > [325] 1466082004.118480: Produced preauth for next request: (empty) > [325] 1466082004.118489: AS key determined by preauth: aes256-cts/1F56 > [325] 1466082004.118538: Decrypted AS reply; session key is: > aes256-cts/5BA4 > [325] 1466082004.118555: FAST negotiation: unavailable > [325] 1466082004.118578: Initializing FILE:/tmp/krb5cc_868_TQFkWp with > default princ gma...@ic.ac.uk > [325] 1466082004.118635: Storing gma...@ic.ac.uk -> > krbtgt/ic.ac...@ic.ac.uk in FILE:/tmp/krb5cc_868_TQFkWp > [325] 1466082004.118662: Storing config in FILE:/tmp/krb5cc_868_TQFkWp > for krbtgt/ic.ac...@ic.ac.uk: pa_type: 2 > [325] 1466082004.118684: Storing gma...@ic.ac.uk -> > krb5_ccache_conf_data/pa_type/krbtgt\/IC.AC.UK\@IC.AC.UK@X-CACHECONF: in > FILE:/tmp/krb5cc_868_TQFkWp > > gmazza2@futurama:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp > Default principal: gma...@ic.ac.uk > > Valid starting Expires Service principal > 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/ic.ac...@ic.ac.uk > renew until 17/06/16 00:00:04, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > - it does not work: > gmazza2@futurama:~$ ssh gmazza2@futurama > [375] 1466082089.872003: ccselect can't find appropriate cache for > server principal host/futurama.doc.ic.ac...@doc.ic.ac.uk > [375] 1466082089.872158: Getting credentials gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.872299: Retrieving gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp > with result: -1765328243/Matching credential not found > [375] 1466082089.872397: Retrieving gma...@ic.ac.uk -> > krbtgt/doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp with > result: -1765328243/Matching credential not found > [375] 1466082089.872489: Retrieving gma...@ic.ac.uk -> > krbtgt/ic.ac...@ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp with result: > 0/Success > [375] 1466082089.872507: Starting with TGT for client realm: > gma...@ic.ac.uk -> krbtgt/ic.ac...@ic.ac.uk > [375] 1466082089.872611: Retrieving gma...@ic.ac.uk -> > krbtgt/doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp with > result: -1765328243/Matching credential not found > [375] 1466082089.872628: Requesting TGT krbtgt/doc.ic.ac...@ic.ac.uk > using TGT krbtgt/ic.ac...@ic.ac.uk > [375] 1466082089.872694: Generated subkey for TGS request: aes256-cts/36BD > [375] 1466082089.872848: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, > des-cbc-crc, des, des-cbc-md4 > [375] 1466082089.873071: Encoding request body and padata into FAST request > [375] 1466082089.873237: Sending request (2863 bytes) to IC.AC.UK > [375] 1466082089.875549: Resolving hostname icads44.ic.ac.uk. > [375] 1466082089.876375: Sending initial UDP request to dgram > 129.31.47.2:88 > [375] 1466082089.878367: Received answer (311 bytes) from dgram > 129.31.47.2:88 > [375] 1466082089.879374: Response was not from master KDC > [375] 1466082089.879420: Decoding FAST response > [375] 1466082089.879497: Request or response is too big for UDP; > retrying with TCP > [375] 1466082089.879512: Sending request (2863 bytes) to IC.AC.UK (tcp > only) > [375] 1466082089.880644: Resolving hostname icads43.ic.ac.uk. > [375] 1466082089.881101: Initiating TCP connection to stream > 129.31.100.150:88 > [375] 1466082089.881629: Sending TCP request to stream 129.31.100.150:88 > [375] 1466082089.883386: Received answer (2758 bytes) from stream > 129.31.100.150:88 > [375] 1466082089.883408: Terminating TCP connection to stream > 129.31.100.150:88 > [375] 1466082089.884435: Response was not from master KDC > [375] 1466082089.884481: Decoding FAST response > [375] 1466082089.884661: FAST reply key: aes256-cts/C91B > [375] 1466082089.884730: TGS reply is for gma...@ic.ac.uk -> > krbtgt/doc.ic.ac...@ic.ac.uk with session key des-cbc-crc/A617 > [375] 1466082089.884819: TGS request result: 0/Success > [375] 1466082089.884838: Storing gma...@ic.ac.uk -> > krbtgt/doc.ic.ac...@ic.ac.uk in FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.884915: Received TGT for service realm: > krbtgt/doc.ic.ac...@ic.ac.uk > [375] 1466082089.884927: Requesting tickets for > host/futurama.doc.ic.ac...@doc.ic.ac.uk, referrals on > [375] 1466082089.884955: Generated subkey for TGS request: des-cbc-crc/14B2 > [375] 1466082089.885000: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, > des-cbc-crc, des, des-cbc-md4 > [375] 1466082089.885099: Encoding request body and padata into FAST request > [375] 1466082089.885228: Sending request (2832 bytes) to DOC.IC.AC.UK > (tcp only) > [375] 1466082089.885263: Resolving hostname kerberos.doc.ic.ac.uk > [375] 1466082089.885710: Initiating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.886276: Terminating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.886314: Resolving hostname kerberos1.doc.ic.ac.uk > [375] 1466082089.886738: Initiating TCP connection to stream > 146.169.1.11:88 > [375] 1466082089.887249: Terminating TCP connection to stream > 146.169.1.11:88 > [375] 1466082089.887270: Resolving hostname kerberos2.doc.ic.ac.uk > [375] 1466082089.887611: Initiating TCP connection to stream > 146.169.1.71:88 > [375] 1466082089.888136: Terminating TCP connection to stream > 146.169.1.71:88 > [375] 1466082089.889673: ccselect can't find appropriate cache for > server principal host/futurama.doc.ic.ac...@doc.ic.ac.uk > [375] 1466082089.889789: Getting credentials gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.889906: Retrieving gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp > with result: -1765328243/Matching credential not found > [375] 1466082089.890009: Retrieving gma...@ic.ac.uk -> > krbtgt/doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp with > result: 0/Success > [375] 1466082089.890024: Found cached TGT for service realm: > gma...@ic.ac.uk -> krbtgt/doc.ic.ac...@ic.ac.uk > [375] 1466082089.890033: Requesting tickets for > host/futurama.doc.ic.ac...@doc.ic.ac.uk, referrals on > [375] 1466082089.890062: Generated subkey for TGS request: des-cbc-crc/B04E > [375] 1466082089.890113: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, > des-cbc-crc, des, des-cbc-md4 > [375] 1466082089.890252: Encoding request body and padata into FAST request > [375] 1466082089.890394: Sending request (2832 bytes) to DOC.IC.AC.UK > [375] 1466082089.890446: Resolving hostname kerberos.doc.ic.ac.uk > [375] 1466082089.890897: Initiating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.891502: Terminating TCP connection to stream > 146.169.1.157:88 > [375] 1466082089.891525: Resolving hostname kerberos.doc.ic.ac.uk > [375] 1466082089.891874: Sending initial UDP request to dgram > 146.169.1.157:750 > [375] 1466082089.893602: Received answer (861 bytes) from dgram > 146.169.1.157:750 > [375] 1466082089.894766: Response was not from master KDC > [375] 1466082089.894812: Decoding FAST response > [375] 1466082089.894897: FAST reply key: des-cbc-crc/EE43 > [375] 1466082089.894953: TGS reply is for gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk with session key aes256-cts/4216 > [375] 1466082089.894987: TGS request result: 0/Success > [375] 1466082089.894997: Received creds for desired service > host/futurama.doc.ic.ac...@doc.ic.ac.uk > [375] 1466082089.895012: Storing gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk in FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.895181: Creating authenticator for gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk, seqnum 683096606, subkey > aes256-cts/1E3F, session key aes256-cts/4216 > [375] 1466082089.896680: ccselect can't find appropriate cache for > server principal host/futurama.doc.ic.ac...@doc.ic.ac.uk > [375] 1466082089.896837: Getting credentials gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.896953: Retrieving gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp > with result: 0/Success > [375] 1466082089.897036: Creating authenticator for gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk, seqnum 249884086, subkey > aes256-cts/FDB1, session key aes256-cts/4216 > [375] 1466082089.898397: ccselect can't find appropriate cache for > server principal host/futurama.doc.ic.ac...@doc.ic.ac.uk > [375] 1466082089.898517: Getting credentials gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.898630: Retrieving gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp > with result: 0/Success > [375] 1466082089.898760: Getting credentials gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk using ccache > FILE:/tmp/krb5cc_868_TQFkWp > [375] 1466082089.898865: Retrieving gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp > with result: 0/Success > [375] 1466082089.898946: Creating authenticator for gma...@ic.ac.uk -> > host/futurama.doc.ic.ac...@doc.ic.ac.uk, seqnum 1071734415, subkey > aes256-cts/0F2B, session key aes256-cts/4216 > gmazza2@futurama's password: > > > BUT... > - there are gmazza's tickets now: > gmazza2@futurama:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp > Default principal: gma...@ic.ac.uk > > Valid starting Expires Service principal > 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/ic.ac...@ic.ac.uk > renew until 17/06/16 00:00:04, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 16/06/16 14:01:29 17/06/16 00:00:04 krbtgt/doc.ic.ac...@ic.ac.uk > renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc, > des-cbc-md5 > 16/06/16 14:01:29 17/06/16 00:00:04 > host/futurama.doc.ic.ac...@doc.ic.ac.uk > Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > > - it works the second time with the same command "ssh gmazza@futurama" > gmazza2@futurama:~$ export KRB5_TRACE= > gmazza2@futurama:~$ ssh gmazza@futurama uptime > 14:02:58 up 21:31, 2 users, load average: 0.01, 0.05, 0.07 > > > Sorry for my long email. > Hope my description makes sense. > > Cheers, > Giuseppe > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
