Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Auth against AD (kerberos) does not work
Operating Systems AIX Auth against AD (kerberos) does not work Post 302674083 by tomys on Thursday 19th of July 2012 02:27:31 AM
Old 07-19-2012
I have done all the steps from the thread(HowTo) "Authenticate AIX users from MSActive Directory.

And somthing mor from other descriptions (IBM,...)

Here are my configuration:

krb5.conf
Code:
[libdefaults]
default_realm = AD.DOMAIN.DE
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
AD.DOMAIN.DE = {
kdc = mssrv18.ad.domain.de:88
admin_server = mssrv18.ad.domain.de:749
default_domain = ad.domain.de
}

[domain_realm]
.ad.domain.de = AD.DOMAIN.DE
mssrv18.ad.domain.de = AD.DOMAIN.DE

methods.cfg
Code:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,kadmin=no

KRB5files:
options = db=BUILTIN,auth=KRB5

Code:
root@appserv5[!]/etc/krb5>>lsauthent
Kerberos 5
Standard Aix

Maybe here is a problem? Why registry=files ?
Code:
root@appserv5[!]/etc/krb5>>chuser -R KRB5files SYSTEM=KRB5files registry=KRB5files kbtest
root@appserv5[!]/etc/krb5>>chuser SYSTEM=KRB5files registry=KRB5files kbtest
root@appserv5[!]/etc/krb5>>lsuser -a registry SYSTEM kbtest
kbtest registry=files SYSTEM=KRB5files

Imported key with ktpass and ktutil
Code:
root@appserv5[!]/etc/krb5>>klist -ke
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
3 host/appserv5.ad.domain.de@AD.DOMAIN.DE (DES cbc mode with RSA-MD5)

AUTH with kinit works.
Code:
root@appserv5[!]/etc/krb5>>kinit kbtest
Password for kbtest@AD.DOMAIN.DE:
root@appserv5[!]/etc/krb5>>

root@appserv5[!]/etc/krb5>>klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: kbtest@AD.DOMAIN.DE

Valid starting Expires Service principal
07/19/12 08:20:12 07/19/12 18:20:16 krbtgt/AD.DOMAIN.DE@AD.DOMAIN.DE
Renew until 07/20/12 08:20:12

But not with telnet (debug.log):
Code:
Jul 18 20:27:32 appserv5 daemon:notice telnetd[5701664]: telnet from dv10.ad.domain.de on /dev/pts/1
Jul 18 22:27:47 appserv5 auth|security:info syslog: pts/1: failed login attempt
for UNKNOWN_USER from dv10.ad.domain.de

If i set the user kbtest back to local AUTH then i can loggin.

I have also done a trace with tcpdump on port 88 and i see that during the loggin with kerberos AUTH the communication with the DC.

Hope anybody can help me.

Regards,
Thomas
Last edited by Scott; 07-27-2012 at 04:54 AM.. Reason: Code tags
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Apache auth question

While not technically a unix question, I was hoping for some help from you all- I've got an Apache 1.3.x server, and I am using basic auth from the pam_auth module and winbind on the back of that. What I get is a relaly sleek authentication for my Windos domain users, however, as they are wont... (1 Reply)
Discussion started by: loadc
1 Replies

2. IP Networking

netscape console auth problem

:( hi all , i have installed netscape console on my local pc to connect to webmail server using LDAP . when i try to login from my console i get an error "Http Exception: Response: Http/1.1 500 Server Error Status 500" i was told that i need to add my IP to the local.conf file. ... (1 Reply)
Discussion started by: ppass
1 Replies

3. UNIX for Advanced & Expert Users

Solaris 10 auth issue

Very strange one, we've got a recently build server (Sol10 via JET flash). Bascially you can ssh to it fine, but telnet will allow entry of username, but will then feed in a carriage return on the passwd field, this also happens on any auth type command, ie passwd on a user account will also... (4 Replies)
Discussion started by: itsupplies
4 Replies

4. AIX

Kerberos and LDAP Auth

Good day I am trying to configure Kerberos and LDAP authentication on AIX 5.3 with Windows 2003 R2 but something is not quite right. When I ran kinit username I get a ticket and I can display it using klist. When the user login I can see the ticket request on Windows 2003, but the user... (1 Reply)
Discussion started by: mariusb
1 Replies

5. Shell Programming and Scripting

Difference in auth key commands?

Good morning! What is the difference between: ssh-keygen -t rsa and ssh-keygen -b 2048 -t rsa? Thanks Bigben (2 Replies)
Discussion started by: bigben1220
2 Replies

6. Red Hat

sendmail client with AUTH

HI, I use redhat 5.7 . I configure sendmail as client and deliver the email to the external SMTP server(10.1.1.176) . The smtp server need SMTP AUTH in order to send email with SMTP. I configure and follow this link . Sendmail as SMTP Authentication | Free Linux Tutorials I try to send... (1 Reply)
Discussion started by: chuikingman
1 Replies

7. Solaris

Sol10 - OpenLDAP Auth

Hi, im new to Solaris (10) and need some help please. Situation: Actually is there a Linux (SLES11) OpenLDAP-Server and authentification of Linux-Maschines works pretty sweet. Now i want to put the SOL10 (Sparc) boxes in.... Problem: User Authentification via OpenLDAP on Sol10 doesn´t work... (3 Replies)
Discussion started by: Panzerkampfwagn
3 Replies

8. Gentoo

LDAP-Auth does not work correctly with systemd

Hi, since the upgrade to Gnome 3.6 (now i have 3.8) the authentication over LDAP stops working. The whole machine does not start anymore. The machine boot, but no gdm and no X. I can login, with root, but then the tty hangs. When i look at ttyF12 i see a lot of systemd service the runs random,... (1 Reply)
Discussion started by: darktux
1 Replies

9. Solaris

Solaris 11 iscsi chap auth

hi to all i've done that steps, but i was not completely successful: sudo pkg install group/feature/storage-server sudo svcadm enable stmf sudo zfs create -V 1g rpool/LUN1 sudo stmfadm create-lu /dev/zvol/rdsk/rpool/LUN1 sudo stmfadm list-lu ... (4 Replies)
Discussion started by: jm83
4 Replies
All times are GMT -4. The time now is 07:18 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy