[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Solaris 9 + Heimdal KDC?



On Wed, Feb 23, 2005 at 03:34:30PM -0800, Henry B. Hotz wrote:
> 
> On Feb 17, 2005, at 1:28 PM, Adam Morley wrote:
> 
> >So I can log in now (quite neat!), and I see a request for krbtgt in  
> >the
> >kdc's logs, but no ticket in the cache:
> >
> ><...ssh password prompt entry...>
> >bash-2.05$ klist
> >klist: No credentials cache file found while setting cache flags(ticket
> >cache /tmp/krb5cc_1001)
> 
> Memory is fuzzy, but I think the Solaris pam_krb5 may not keep the tgt  
> unless it can verify it against a host/FQDN@REALM principal in  
> /etc/krb5/krb5.keytab.  Also applies to the screen lock, which will  
> renew the tgt on unlock if it can verify the kdc.
> 
> There's a verify-mumble-nofail option that may affect this behavior.   
> It's claimed to affect it on Solaris 10 anyway.
> 
> man pam_krb5 may tell you something.  It's very informative on Solaris  
> 10.

(Sorry about the length of time I've taken to reply, I was out of town)

It is indeed.  The option (verify_ap_req_nofail = false) is actually
listed in Solaris 10's manpages, whereas in Solaris 9 it is not.  I've
tried it in both the specific realm section ([realms] GMI.COM) and in
[libdefaults] on Solaris 9, but it doesn't seem to work.

So here's what's happening:

ssh to host
log in as user
successful login, no tgt:

bash-2.05$ klist
klist: No credentials cache file found while setting cache flags(ticket
cache /tmp/krb5cc_1001)

On the console, the following message appears:

Feb 28 10:37:50 win2k0.prod.gmi.com sshd[944]: PAM-KRB5 (acct):  unable to get host based service name for realm 'GMI.COM'

Which leads me to believe there is something wrong with the host
principal in /etc/krb5/krb5.keytab.  But the kdc shows this in the logs:

2005-02-28 10:36:36.059186500 2005-02-28T10:36:36 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-28 10:36:36.059384500 2005-02-28T10:36:36 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-28 10:36:36.077325500 2005-02-28T10:36:36 Using des-cbc-md5/des-cbc-md5
2005-02-28 10:36:36.077647500 2005-02-28T10:36:36 Using des-cbc-md5/des-cbc-md5
2005-02-28 10:36:36.077649500 2005-02-28T10:36:36 Requested flags: renewable, forwardable
2005-02-28 10:36:36.077650500 2005-02-28T10:36:36 Requested flags: renewable, forwardable
2005-02-28 10:36:36.077651500 2005-02-28T10:36:36 sending 548 bytes to IPv4:10.1.1.125
2005-02-28 10:36:36.077653500 2005-02-28T10:36:36 sending 548 bytes to IPv4:10.1.1.125
2005-02-28 10:36:36.146579500 2005-02-28T10:36:36 TGS-REQ adam@GMI.COM from IPv4:10.1.1.125 for host/win2k0.prod.gmi.com@GMI.COM [renewable, forwardable]
2005-02-28 10:36:36.147166500 2005-02-28T10:36:36 TGS-REQ adam@GMI.COM from IPv4:10.1.1.125 for host/win2k0.prod.gmi.com@GMI.COM [renewable, forwardable]
2005-02-28 10:36:36.147169500 2005-02-28T10:36:36 sending 579 bytes to IPv4:10.1.1.125
2005-02-28 10:36:36.147170500 2005-02-28T10:36:36 sending 579 bytes to IPv4:10.1.1.125

So I see the tgt and the ticket for the host principal on the KDC, but
the host itself doesn't seem to believe things.

And on the host itself, I can kinit with the keytab (as root):

bash-2.05# id
uid=0(root) gid=0(root)
bash-2.05# kinit -k -t /etc/krb5/krb5.keytab   
bash-2.05# klist
Ticket cache: /tmp/krb5cc_0
Default principal: host/win2k0.prod.gmi.com@GMI.COM

Valid starting                       Expires       Service principal
Mon Feb 28 10:51:53 2005  Tue Mar 01 10:51:53 2005 krbtgt/GMI.COM@GMI.COM
        renew until Mon Mar 07 10:51:53 2005
bash-2.05# ktutil 
ktutil:  read_kt /etc/krb5/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ----
--------------------------------------------------------------------------
   1    2         host/win2k0.prod.gmi.com@GMI.COM
ktutil:  
bash-2.05# ls -la /etc/krb5/
total 18
drwxr-xr-x   2 root     sys          512 Feb 11 13:32 .
drwxr-xr-x  58 root     sys         5120 Feb 28 10:30 ..
-rw-r--r--   1 root     sys         1007 Feb 28 10:43 krb5.conf
-rw-------   1 root     root          69 Feb 11 13:31 krb5.keytab
-rw-r--r--   1 root     sys          230 Feb 10 15:53 warn.conf

And since I'm using SunSSH, it's not privseping.  I re-ran using ssh's
debug mode, you can see output here:

http://adam.gmi.com/tmp/sshd.txt
http://adam.gmi.com/tmp/ssh.txt
http://adam.gmi.com/tmp/truss.txt (of sshd)

I thought maybe that error had something to do with needing a service
principal for ssh, so I made ssh/win2k0.prod.gmi.com@GMI.COM, stripped
the enc_type's and stuck it in the host keytab.  Same error.  So I tried
sshd, in case it was inconsistent.  I also tried swapping the order of
the hosts entry in /etc/nsswitch.conf from "files dns" to "dns
[NOTFOUND=continue] files" with no luck.  I also played around with
domain and search settings in /etc/resolv.conf with no luck.

Any other ideas?  Thanks in advance.

-- 
adam