[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kerberos on SuSE 8.2



Hi,

I've tried posting this to the SuSE Security mailing list (which seems like a 
good place to ask this question) but got no response at all. Can anyone here 
shed some light?

I'm in the process of setting up a small network using SuSE 8.2 pro - as this 
network needs the ability to scale rapidly in the future, and to be as 
unobstructive as possible to end users, I decided to build it round a 
Kerberos/LDAP authentication system.

Following the instructions in the SuSE 8.2 Admin Guide, I've created a 
Kerberos realm named the same as my internal DNS domain, but upper case, and 
can obtain tickets from this using kinit on the local machine. However, I 
can't obtain a ticket from a remote machine, instead getting the following 
error:

Exception: krb_error 38 Incorrect net address (38) Incorrect net address
KrbException: Incorrect net address (38)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:271)
        at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:264)
        at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:104)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.af.a(DashoA6275:129)
        at sun.security.krb5.internal.au.a(DashoA6275:58)
        at sun.security.krb5.internal.au.<init>(DashoA6275:53)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
        ... 4 more

As far as I can see, everything is set up correctly in /etc/krb.conf both on 
the local and KDM machines. The default_realm is correct, there is a realms 
entry for it giving the FQDN of the Kerberos server for kdc, kpasswd_server 
and admin_server. The domain_realm section has an entry setting all machines 
in the local domain as part of the Kerberos realm.

After some digging I've found that the above error results from a Kerberos 
ticket which is not allowed to be used on the machine on which is was 
obtained:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badaddr
The above link suggests that this problem is normally seen with multihomed 
machines, however neither client nor server is multihomed - both have a 
single IP address and domain name. The only possible issue I can see 
(scraping the barrel a bit here) is that the client optains its IP address 
via DHCP. It does, however, have automatically updated forward and reverse 
DNS entries, and throughout my work on this has consistently obtained the 
same IP address.

What other possible causes are there of the above error? Is there any way I 
can determine what IP addresses the ticket may_ be used from?

If it's any help I can post details from the actual configuration files - this 
is tucked away on a private network, so there's no real risk, and I can 
change everything afterwards once I know how to get it working.

Any help with this will be very much appreciated - at the moment, it's got me 
completely stumped.

TIA,
-- 
Geoff Beaumont
Geoff@stormhammer.com