Hello,
In this particular case, I have an Active Directory KDC from which I have
created host principals and imported them into the proper keytabs. Both sides
of the connection are running OpenSSH_4.3p2 Debian-8ubuntu1, OpenSSL 0.9.8c 05
Sep 2006.
I'm not really sure what the issue here is. I've sucessfully managed to get
this sort of setup working previously with an MIT KDC.
I can sucessfully initiate sec=krb5* NFSv4 connections between the two hosts,
so I'm fairly confident that I managed to export the keytabs from AD properly,
though obviously they utilize the nfs/ principals rather than host/. The
exported keytabs use RC4-HMAC (The AD default).
I'm hoping that I've overlooked something straight forward that someone can
readily point out.
Thanks in advance,
Ed
On the "server" side the following options are set:
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
On the "client" side the following options are set:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns yes
>From the client, I use "kinit" to obtain the ticket for my user. I then
attempt to SSH into the server. I believe the following is the relevant
portion of a debug session:
Client:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Miscellaneous failure
Generic error (see e-text)
Server:
debug1: userauth-request for user eroper service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for eroper from 10.10.130.145 port 60646 ssh2
Failed none for eroper from 10.10.130.145 port 60646 ssh2
debug1: userauth-request for user eroper service ssh-connection method
gssapi-with-mic
debug1: attempt 1 failures 1
Postponed gssapi-with-mic for eroper from 10.10.130.145 port 60646 ssh2
debug1: Miscellaneous failure
Key table entry not found
debug1: Got no client credentials
Failed gssapi-with-mic for eroper from 10.10.130.145 port 60646 ssh2
debug1: userauth-request for user eroper service ssh-connection method
gssapi-with-mic
debug1: attempt 2 failures 2
Failed gssapi-with-mic for eroper from 10.10.130.145 port 60646 ssh2
debug1: userauth-request for user eroper service ssh-connection method
publickey
debug1: attempt 3 failures 2
On the server:
anubis:~# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------------------------------------------------
3 nfs/[EMAIL PROTECTED]
3 host/[EMAIL PROTECTED]
On the client:
Ticket cache: FILE:/tmp/krb5cc_10116
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/23/07 12:35:15 07/23/07 22:35:15 krbtgt/[EMAIL PROTECTED]
renew until 07/24/07 12:35:15
07/23/07 12:35:34 07/23/07 22:35:15 host/[EMAIL PROTECTED]
renew until 07/24/07 12:35:15
Kerberos 4 ticket cache: /tmp/tkt10116
klist: You have no tickets cached
