[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Kerberos on SuSE 8.2
Hi,
I've tried posting this to the SuSE Security mailing list (which seems like a
good place to ask this question) but got no response at all. Can anyone here
shed some light?
I'm in the process of setting up a small network using SuSE 8.2 pro - as this
network needs the ability to scale rapidly in the future, and to be as
unobstructive as possible to end users, I decided to build it round a
Kerberos/LDAP authentication system.
Following the instructions in the SuSE 8.2 Admin Guide, I've created a
Kerberos realm named the same as my internal DNS domain, but upper case, and
can obtain tickets from this using kinit on the local machine. However, I
can't obtain a ticket from a remote machine, instead getting the following
error:
Exception: krb_error 38 Incorrect net address (38) Incorrect net address
KrbException: Incorrect net address (38)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
at sun.security.krb5.KrbAsReq.getReply(DashoA6275:271)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:264)
at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:104)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA6275:129)
at sun.security.krb5.internal.au.a(DashoA6275:58)
at sun.security.krb5.internal.au.<init>(DashoA6275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
... 4 more
As far as I can see, everything is set up correctly in /etc/krb.conf both on
the local and KDM machines. The default_realm is correct, there is a realms
entry for it giving the FQDN of the Kerberos server for kdc, kpasswd_server
and admin_server. The domain_realm section has an entry setting all machines
in the local domain as part of the Kerberos realm.
After some digging I've found that the above error results from a Kerberos
ticket which is not allowed to be used on the machine on which is was
obtained:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badaddr
The above link suggests that this problem is normally seen with multihomed
machines, however neither client nor server is multihomed - both have a
single IP address and domain name. The only possible issue I can see
(scraping the barrel a bit here) is that the client optains its IP address
via DHCP. It does, however, have automatically updated forward and reverse
DNS entries, and throughout my work on this has consistently obtained the
same IP address.
What other possible causes are there of the above error? Is there any way I
can determine what IP addresses the ticket may_ be used from?
If it's any help I can post details from the actual configuration files - this
is tucked away on a private network, so there's no real risk, and I can
change everything afterwards once I know how to get it working.
Any help with this will be very much appreciated - at the moment, it's got me
completely stumped.
TIA,
--
Geoff Beaumont
Geoff@stormhammer.com