Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Problems with Kerberos and realms
Operating Systems AIX Problems with Kerberos and realms Post 302866169 by PassLine on Monday 21st of October 2013 11:46:05 AM
Old 10-21-2013
Problems with Kerberos and realms
I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it.

AIX 7.1, and while I found various docs on the subject, a lot of them are different. That said, I've tried various methods without success. As it sits, the packages are installed, the krb5.conf file is populated with the usual info, the new keytab is merged with krb5.keytab, I've tried various enctypes (based on different docs) etc. When I do anything at all, the logs remain empty, although they exist.

When I try to generate a ticket, below is the result.

Code:
#/usr/krb5/bin/kinit PassLine@HDQ.123.COM
Password for PassLine@HDQ.123.COM:
root@ unused01 /etc
#/usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  PassLine@HDQ.123.COM

Valid starting     Expires            Service principal
10/21/13 11:21:52  10/21/13 21:22:10  krbtgt/HDQ.123.COM@HDQ.123.COM
        Renew until 10/21/13 21:21:52
root@ unused01 /etc
#/usr/krb5/bin/kinit PassLine@LDAP.123.COM
Unable to obtain initial credentials.
        Status 0x96c73adc - Cannot resolve network address for KDC in requested realm.

When I created a user and set authentication methods to KRB5files, I wasn't able to log in. The server is on ABC.123.com and it only seems to be able to hit HDQ.123.com (kinit fails against all domains except HDQ.) The AD admins asked me to use the LDAP.123.com alias.

I don't know if perhaps this is an issue with /etc/resolv.conf or if I have something outright wrong elsewhere.

Let me know what information is needed, and I'll provide it. I suppose I didn't want to clutter the OP with "unnecessary" config files and such, but will certainly post anything needed.

Thanks!
 

9 More Discussions You Might Find Interesting

1. Cybersecurity

Kerberos security

I have installed Kerberos security in my UNIX system but I need to disable because of an application conflict with Kerberos. So Anybody ca tell me how can I disable it? Thank you (1 Reply)
Discussion started by: dansanmex
1 Replies

2. Solaris

kerberos security

i m new 2 unix world can some body explain me abt kerberos pls explain in detail..! (2 Replies)
Discussion started by: sriram.s
2 Replies

3. AIX

SSH and Kerberos

I have 2 servers (lft1 and lft3) running AIX 5.3 ML 5. Both are installed with krb5.client.rte 1.4.0.4 and openssh.base.server 4.3.0.5300. I have configured some of the users on both servers to authenticate against our Windows 2003 Active Directory. From my PC, I can use telnet to login... (1 Reply)
Discussion started by: asch337
1 Replies

4. AIX

NFS4 with KERBEROS

I was wondering if any of you have used NFS4 with KERBEROS in a HACMP setup and environment with more than 1 resourcegroup that has NFS mount in them. I Configures the host keys for an Network File System (NFS) server I get stuck with the nfshostkey I can only add one at a time per system so... (0 Replies)
Discussion started by: ravager
0 Replies

5. Programming

Kerberos Authentication c/c++

I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api. Can anyone point me in the right... (0 Replies)
Discussion started by: mshindo
0 Replies

6. AIX

Auth against AD (kerberos) does not work

@kah00na and all others, i have done al steps of the HowTo "Authenticate AIX users from MSActive Directory", found in this forum, but it still does not work. The test with kinit USERNAME works fine. But if i try to login i get the "UNKNOWN_USER" error in the debug.log.All steps to change... (11 Replies)
Discussion started by: tomys
11 Replies

7. AIX

Problems with kerberos and forest domain

Hi, I have a simple Apache setup that works fine when I create a keytab on a domain level authentication works fine. When I create a keytab at the forest level authentication does not work. I get the following error message. Does anyone know what I am doing wrong here? I validated there is the... (0 Replies)
Discussion started by: 3junior
0 Replies

8. OS X (Apple)

OSX and Kerberos

Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from: # sshd: auth account password session auth optional pam_krb5.so use_kcminit auth optional ... (0 Replies)
Discussion started by: jnojr
0 Replies

9. Shell Programming and Scripting

PERL and Kerberos authentication

I am installing Authen::Krb5::Easy and during make test I am getting the follwing error : kinit not ok 2 error was: could not get initial credentials: Cannot contact any KDC for requested realm we are stroring krb5.conf in diff location ( not in /etc/krb5.conf) , but, PERL is... (1 Reply)
Discussion started by: talashil
1 Replies

LEARN ABOUT FREEBSD

kinit

KINIT(1)						    BSD General Commands Manual 						  KINIT(1)

NAME

     kinit -- acquire initial tickets

SYNOPSIS

     kinit [--afslog] [-c cachename | --cache=cachename] [-f | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l time | --lifetime=time]
	   [-p | --proxiable] [-R | --renew] [--renewable] [-r time | --renewable-life=time] [-S principal | --server=principal] [-s time |
	   --start-time=time] [-k | --use-keytab] [-v | --validate] [-e enctypes | --enctypes=enctypes] [-a addresses |
	   --extra-addresses=addresses] [--password-file=filename] [--fcache-version=version-number] [-A | --no-addresses] [--anonymous]
	   [--enterprise] [--version] [--help] [principal [command]]

DESCRIPTION

     kinit is used to authenticate to the Kerberos server as principal, or if none is given, a system generated default (typically your login name
     at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services.

     Supported options:

     -c cachename --cache=cachename
	     The credentials cache to put the acquired ticket in, if other than default.

     -f --no-forwardable
	     Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag.

     -t keytabname, --keytab=keytabname
	     Don't ask for a password, but instead get the key from the specified keytab.

     -l time, --lifetime=time
	     Specifies the lifetime of the ticket.  The argument can either be in seconds, or a more human readable string like '1h'.

     -p, --proxiable
	     Request tickets with the proxiable flag set.

     -R, --renew
	     Try to renew ticket.  The ticket must have the 'renewable' flag set, and must not be expired.

     --renewable
	     The same as --renewable-life, with an infinite time.

     -r time, --renewable-life=time
	     The max renewable ticket life.

     -S principal, --server=principal
	     Get a ticket for a service other than krbtgt/LOCAL.REALM.

     -s time, --start-time=time
	     Obtain a ticket that starts to be valid time (which can really be a generic time specification, like '1h') seconds into the future.

     -k, --use-keytab
	     The same as --keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab).

     -v, --validate
	     Try to validate an invalid ticket.

     -e, --enctypes=enctypes
	     Request tickets with this particular enctype.

     --password-file=filename
	     read the password from the first line of filename.  If the filename is STDIN, the password will be read from the standard input.

     --fcache-version=version-number
	     Create a credentials cache of version version-number.

     -a, --extra-addresses=enctypes
	     Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket.  This can be useful if all
	     addresses a client can use can't be automatically figured out.  One such example is if the client is behind a firewall.  Also set-
	     table via libdefaults/extra_addresses in krb5.conf(5).

     -A, --no-addresses
	     Request a ticket with no addresses.

     --anonymous
	     Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically ``anonymous@REALM'').

     --enterprise
	     Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name
	     part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm.  An example of an
	     enterprise name is ``lha@e.kth.se@KTH.SE'', and this option is usually used with canonicalize so that the principal returned from the
	     KDC will typically be the real principal name.

     --afslog
	     Gets AFS tickets, converts them to version 4 format, and stores them in the kernel.  Only useful if you have AFS.

     The forwardable, proxiable, ticket_life, and renewable_life options can be set to a default value from the appdefaults section in krb5.conf,
     see krb5_appdefault(3).

     If  a command is given, kinit will set up new credentials caches, and AFS PAG, and then run the given command.  When it finishes the creden-
     tials will be removed.

ENVIRONMENT

     KRB5CCNAME
	     Specifies the default credentials cache.

     KRB5_CONFIG
	     The file name of krb5.conf, the default being /etc/krb5.conf.

     KRBTKFILE
	     Specifies the Kerberos 4 ticket file to store version 4 tickets in.

SEE ALSO

     kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)

HEIMDAL 
							  April 25, 2006							   HEIMDAL
All times are GMT -4. The time now is 01:04 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy