[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Solaris 9 + Heimdal KDC?

[snip]
> >On Thu, Feb 17, 2005 at 09:32:47AM +0100, Joakim Fallsjo wrote:
> >>
> >[snip]
> >>What's in /etc/nodename?
> >
> ># cat /etc/nodename
> >win2k0
> >
> >I'm thinking that's supposed to hold the fqdn, yes?  Either way, I set
> >it to the FQDN instead of simply the host name, and I still have the
> >same problem:
> >
> ># cat /etc/nodename
> >win2k0.prod.gmi.com
> ># Feb 17 10:06:48 win2k0 sshd[18974]: PAM-KRB5 (auth):  
> >krb5_verify_init_creds failed: Key table entry not found
> >
> >(I did restart sshd inbetween)
> 
> Need to restart more than just sshd.  That's read somewhere in an rc  
> script and I think fed to hostname.

Oh duh.  Okay, thanks for reminding me of what I should've remembered.

So I can log in now (quite neat!), and I see a request for krbtgt in the
kdc's logs, but no ticket in the cache:

<...ssh password prompt entry...>
bash-2.05$ klist
klist: No credentials cache file found while setting cache flags(ticket
cache /tmp/krb5cc_1001)

<kdc log>
2005-02-17 13:12:04.524925500 2005-02-17T13:12:04 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-17 13:12:04.525678500 2005-02-17T13:12:04 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-17 13:12:04.525681500 2005-02-17T13:12:04 Using des-cbc-md5/des-cbc-md5
2005-02-17 13:12:04.525682500 2005-02-17T13:12:04 Using des-cbc-md5/des-cbc-md5
2005-02-17 13:12:04.525684500 2005-02-17T13:12:04 Requested flags: renewable, forwardable
2005-02-17 13:12:04.525685500 2005-02-17T13:12:04 Requested flags: renewable, forwardable
2005-02-17 13:12:04.525687500 2005-02-17T13:12:04 sending 548 bytes to IPv4:10.1.1.125
2005-02-17 13:12:04.525696500 2005-02-17T13:12:04 sending 548 bytes to IPv4:10.1.1.125
2005-02-17 13:12:04.535361500 2005-02-17T13:12:04 TGS-REQ adam@GMI.COM from IPv4:10.1.1.125 for host/win2k0.prod.gmi.com@GMI.COM [renewable, forwardable]
2005-02-17 13:12:04.535931500 2005-02-17T13:12:04 TGS-REQ adam@GMI.COM from IPv4:10.1.1.125 for host/win2k0.prod.gmi.com@GMI.COM [renewable, forwardable]
2005-02-17 13:12:04.535934500 2005-02-17T13:12:04 sending 579 bytes to IPv4:10.1.1.125
2005-02-17 13:12:04.535936500 2005-02-17T13:12:04 sending 579 bytes to IPv4:10.1.1.125
2005-02-17 13:12:04.559211500 2005-02-17T13:12:04 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for changepw/krb0.prod.gmi.com@GMI.COM
2005-02-17 13:12:04.559625500 2005-02-17T13:12:04 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for changepw/krb0.prod.gmi.com@GMI.COM
2005-02-17 13:12:04.559627500 2005-02-17T13:12:04 UNKNOWN -- changepw/krb0.prod.gmi.com@GMI.COM: No such entry in the database
2005-02-17 13:12:04.559629500 2005-02-17T13:12:04 UNKNOWN -- changepw/krb0.prod.gmi.com@GMI.COM: No such entry in the database
2005-02-17 13:12:04.559631500 2005-02-17T13:12:04 sending 128 bytes to IPv4:10.1.1.125
2005-02-17 13:12:04.559632500 2005-02-17T13:12:04 sending 128 bytes to IPv4:10.1.1.125

I'm guessing changepw is for Solaris's account management/password
change policy stuff, as I have changed passwords in Linux and OpenBSD
fine, and I see:

kadmin> list *changepw*
  kadmin/changepw@GMI.COM
  changepw/kerberos@GMI.COM

in the kerberos database on the Master KDC.

But once logged in, I can kinit and get a ticket in my cache:

bash-2.05$ kinit
Password for adam@GMI.COM: 
bash-2.05$ klist
Ticket cache: /tmp/krb5cc_1001
Default principal: adam@GMI.COM

Valid starting                       Expires
Service principal
Thu Feb 17 13:12:27 2005  Fri Feb 18 13:12:27 2005
krbtgt/GMI.COM@GMI.COM
        renew until Thu Feb 24 13:12:27 2005

Which yields the identical entry in the logs on the KDC:

2005-02-17 13:12:27.926437500 2005-02-17T13:12:27 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-17 13:12:27.927172500 2005-02-17T13:12:27 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-17 13:12:27.927175500 2005-02-17T13:12:27 Using des-cbc-md5/des-cbc-md5
2005-02-17 13:12:27.927177500 2005-02-17T13:12:27 Using des-cbc-md5/des-cbc-md5
2005-02-17 13:12:27.927178500 2005-02-17T13:12:27 Requested flags: renewable, forwardable
2005-02-17 13:12:27.927179500 2005-02-17T13:12:27 Requested flags: renewable, forwardable
2005-02-17 13:12:27.927181500 2005-02-17T13:12:27 sending 548 bytes to IPv4:10.1.1.125
2005-02-17 13:12:27.927191500 2005-02-17T13:12:27 sending 548 bytes to IPv4:10.1.1.125

Here is the PAM debug log for the PAM session that begins once I see the
ssh password prompt.  I can understand if you folks say, "Go away,
Solaris PAM is offtopic for this list," but I thought I'd ask anyways.
I do see that the ticket cache file is correct (/tmp/krb5cc_1001), so I
am kind of at a loss, unless it has something to do with the changepw
error in the KDC log above:

Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 785955 auth.debug] PAM[959]: pam_set_item(cf990:conv)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 774328 auth.debug] PAM[959]: pam_authenticate(cf990, 1)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 425060 auth.debug] PAM[959]: pam_get_user(cf990, ff0000, NULL)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 785955 auth.debug] PAM[959]: pam_set_item(cf990:authtok)
Feb 17 13:12:28 win2k0.prod.gmi.com last message repeated 1 time
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 581131 auth.debug] PAM[959]: pam_authenticate(cf990, 1): error Authentication failed
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 198417 auth.debug] PAM[959]: pam_putenv(cf990, KRB5CCNAME=FILE:/tmp/krb5cc_1001)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 785955 auth.debug] PAM[959]: pam_set_item(cf990:user)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 774328 auth.debug] PAM[959]: pam_acct_mgmt(cf990, 0)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_acct_mgmt
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_acct_mgmt)=/usr/lib/security/pam_projects.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_acct_mgmt
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_acct_mgmt
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_acct_mgmt)=/usr/lib/security/pam_krb5.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_acct_mgmt
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 800047 auth.info] Accepted password for adam from 10.1.1.110 port 60123 ssh2
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 774328 auth.debug] PAM[959]: pam_setcred(cf990, 1)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_setcred)=/usr/lib/security/pam_authtok_get.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_setcred
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_setcred)=/usr/lib/security/pam_dhkeys.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_setcred
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_setcred)=/usr/lib/security/pam_unix_auth.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_setcred
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_setcred)=/usr/lib/security/pam_krb5.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_setcred
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 785955 auth.debug] PAM[959]: pam_set_item(cf990:tty)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 774328 auth.debug] PAM[959]: pam_open_session(cf990, 0)
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_open_session)=/usr/lib/security/pam_krb5.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_open_session
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 943611 auth.debug] PAM[959]: load_modules(cf990, pam_sm_open_session)=/usr/lib/security/pam_unix_session.so.1
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[959]: [ID 556122 auth.debug] PAM[959]: load_function: successful load of pam_sm_open_session
Feb 17 13:12:28 win2k0.prod.gmi.com sshd[961]: [ID 932506 auth.debug] PAM[961]: pam_getenvlist(cf990)


Thanks a bunch!  It's clear I should add this to my write-up on Kerberos
when I finally get it all working. . .


--
adam