Mailing List Archive

Mike,

I have written a HOWTO regarding this issues. You may found it at
http://www.openinput.com/auth-howto/. Feel free to take a look at it and
then ask anything you want if that doesn't solve your problems. Comments
are welcome also.

A question... what does hostname -f return?

HTH, best regards
Jose

Mike Williams wrote:

>Hi!
>
>On and off for the last few weeks, and all of today, I've been playing with
>kerberos.
>But, I'm stuck, completely.
>
>Kerberos works, I know that. I can quite happily get tickets from the server.
>First thing I want to kerberise is ssh, as it's a fundamental, and easily
>testable tool.
>
>I've been working in two different ways, but am getting the same outcome.
>1) host service principal in systemwide /etc/krb5.keytab
>2) host service principal in ssh specific /etc/ssh/sshd.keytab, and an 'export
>KRB5_KTNAME=/etc/ssh/sshd.keytab' right before the call to start-stop-daemon
>in /etc/init.d/sshd
>
>My kerberos realm is HOME.GAIMA.CO.UK, but it *looks* like ssh is truncating
>that to CO.UK, and GAIMA.CO.UK.
>
>mike@sauron mike $ klist
>Ticket cache: FILE:/tmp/krb5cc_1000
>Default principal: kerb@HOME.GAIMA.CO.UK
>
>Valid starting Expires Service principal
>10/16/04 18:54:58 10/17/04 04:54:58 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK
> renew until 10/17/04 18:54:57
>
>I've attached a log of DNS activity (dnscache), a section of krb5kdc.log from
>the server, the output & strace of ssh (strace ssh -l kerb
>gandalf.home.gaima.co.uk -v 2>ssh-strace.log), and my krb5.conf.
>
>Both boxes are stable x86, with all kerberos USE'd packages compiled with it
>enabled, and mit-krb5 installed.
>
>The following 2 options are set in ~/.ssh/config on the client:
>GSSAPIDelegateCredentials yes
>GssapiAuthentication yes
>
>And these in /etc/ssh/sshd_config on the server:
>KerberosAuthentication yes
>KerberosOrLocalPasswd yes
>KerberosTicketCleanup yes
>GSSAPIAuthentication yes
>GSSAPICleanupCredentials yes
>
>Are there any kerberos gurus on list that can put me out of my misery?
>Google hasn't helped :(
>
>Cheers
>
>
>
>------------------------------------------------------------------------
>
>@400000004171747f02fbf05c query 4590 00000000000000000000ffffc0a816f6:8fad:7318 16 _kerberos.gaima.co.uk.
>@400000004171747f02fc0f9c tx 0 16 _kerberos.gaima.co.uk. gaima.co.uk. 00000000000000000000ffffd13399fb 00000000000000000000ffff515b6c03
>@400000004171747f0b580f74 nodata 00000000000000000000ffffd13399fb 2560 16 _kerberos.gaima.co.uk.
>@400000004171747f0be0a834 query 4594 00000000000000000000ffffc0a816f6:8fad:7319 16 _kerberos.co.uk.
>@400000004171747f0be0b004 cached nxdomain _kerberos.co.uk.
>@400000004171747f0c6898fc query 4595 00000000000000000000ffffc0a816f6:8fad:731a 16 _kerberos.uk.
>@400000004171747f0c68a0cc cached nxdomain _kerberos.uk.
>@400000004171747f1fa4652c query 4645 00000000000000000000ffffc0a816f6:8fad:734c 16 _kerberos.gaima.co.uk.
>@400000004171747f1fa46cfc cached 16 _kerberos.gaima.co.uk.
>@400000004171747f1fcb4a34 query 4646 00000000000000000000ffffc0a816f6:8fad:734d 16 _kerberos.co.uk.
>@400000004171747f1fcb4e1c cached nxdomain _kerberos.co.uk.
>@400000004171747f1ff0c3f4 query 4647 00000000000000000000ffffc0a816f6:8fad:734e 16 _kerberos.uk.
>@400000004171747f1ff0c7dc cached nxdomain _kerberos.uk.
>
>
>------------------------------------------------------------------------
>
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/GAIMA.CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/GAIMA.CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/GAIMA.CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>Oct 16 20:06:03 gandalf krb5kdc[20530](info): TGS_REQ (2 etypes {16 1}) 192.168.22.246: UNKNOWN_SERVER: authtime 1097949298, kerb@HOME.GAIMA.CO.UK for krbtgt/GAIMA.CO.UK@HOME.GAIMA.CO.UK, Server not found in Kerberos database
>
>
>------------------------------------------------------------------------
>
>[libdefaults]
> ticket_lifetime = 600
> default_realm = HOME.GAIMA.CO.UK
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
>[realms]
> HOME.GAIMA.CO.UK = {
> kdc = gandalf.home.gaima.co.uk:88
> admin_server = gandalf.home.gaima.co.uk:749
> default_domain = home.gaima.co.uk
> }
># kdc = kerberos2.home.gaima.co.uk:88
>
>[domain_realm]
> .home.gaima.co.uk = HOME.GAIMA.CO.UK
> home.gaima.co.uk = HOME.GAIMA.CO.UK
>
>#[kdc]
># profile = /etc/krb5kdc/kdc.conf
>#
>[logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
>

--
gentoo-user@gentoo.org mailing list

On Sunday 17 October 2004 10:14, Jose Gonzalez Gomez wrote:
> Mike,
>
> I have written a HOWTO regarding this issues. You may found it at
> http://www.openinput.com/auth-howto/. Feel free to take a look at it and
> then ask anything you want if that doesn't solve your problems. Comments
> are welcome also.

Oh, neat.
I do have a question, or more precisely, a problem.

gandalf root # kadmin -l
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: kadm5_create_principal: ldap_add_s: default@home.gaima.co.uk
(dn=cn=default@home.gaima.co.uk,ou=kerberos,dc=home,dc=gaima,dc=co,dc=uk)
Insufficient access

Also getting the following errors from slapd, during each bind from the kadmin
init command
SASL [conn=18] Failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3
If I add world read to that file, the error goes away, but the init still
fails with the same error.

And some comments.
/var/lib/ldapi is /var/lib/run/ldapi
Latest stable heimdal is 0.6.3-r1, so doesn't require your patches

> A question... what does hostname -f return?

server: gandalf.home.gaima.co.uk
client: sauron.home.gaima.co.uk

> HTH, best regards
> Jose

Cheers

--
Mike Williams

Mike Williams wrote:

>On Sunday 17 October 2004 10:14, Jose Gonzalez Gomez wrote:
>
>
>> Mike,
>>
>> I have written a HOWTO regarding this issues. You may found it at
>>http://www.openinput.com/auth-howto/. Feel free to take a look at it and
>>then ask anything you want if that doesn't solve your problems. Comments
>>are welcome also.
>>
>>
>
>Oh, neat.
>I do have a question, or more precisely, a problem.
>
>
I understand that you've been following the HOWTO, haven't you?

>gandalf root # kadmin -l
>kadmin> init HOME.GAIMA.CO.UK
>Realm max ticket life [unlimited]:
>Realm max renewable ticket life [unlimited]:
>kadmin: kadm5_create_principal: ldap_add_s: default@home.gaima.co.uk
>(dn=cn=default@home.gaima.co.uk,ou=kerberos,dc=home,dc=gaima,dc=co,dc=uk)
>Insufficient access
>
>
You don't have access to perform the requested operation. Please,
confirm if you have been following the HOWTO so I can fix that. In order
to go on, you must either give permissions to the user you are using to
connect, or give write access to anonymous/unauthenticated users.

>Also getting the following errors from slapd, during each bind from the kadmin
>init command
>SASL [conn=18] Failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3
>If I add world read to that file, the error goes away, but the init still
>fails with the same error.
>
>
Have you emerged cyrus-sasl with both berkdb and gdbm use flags enabled?

>And some comments.
>/var/lib/ldapi is /var/lib/run/ldapi
>
>
What do you mean with this? The only place I can find /var/lib/ldapi
is in 6.1.3 Service configuration, and I think the path is correct:

commserver root # netstat -l | grep ldap
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
unix 2 [ ACC ] STREAM LISTENING 10200 /var/lib/ldapi

>Latest stable heimdal is 0.6.3-r1, so doesn't require your patches
>
>
I'll fix that, I haven't updated the HOWTO to reflect latest package
changes. Anyway that version includes the patches I sent.

>
>
>> A question... what does hostname -f return?
>>
>>
>
>server: gandalf.home.gaima.co.uk
>client: sauron.home.gaima.co.uk
>
>
>
>> HTH, best regards
>> Jose
>>
>>
>
>Cheers
>
>
>
Best regards
Jose

--
gentoo-user@gentoo.org mailing list

On Sunday 17 October 2004 20:18, Jose Gonzalez Gomez wrote:
> >Oh, neat.
> >I do have a question, or more precisely, a problem.
>
> I understand that you've been following the HOWTO, haven't you?

I have, and very informative it's been so far.

> >kadmin: kadm5_create_principal: ldap_add_s: default@home.gaima.co.uk
> >(dn=cn=default@home.gaima.co.uk,ou=kerberos,dc=home,dc=gaima,dc=co,dc=uk)
> >Insufficient access
>
> You don't have access to perform the requested operation. Please,
> confirm if you have been following the HOWTO so I can fix that. In order
> to go on, you must either give permissions to the user you are using to
> connect, or give write access to anonymous/unauthenticated users.

Yep, apart from some versions being slightly newer.
kadmin is in /usr/sbin, and requires root access to open /var/heimdal/m-key,
so I'm using root.
Got it, had to add "access to * by * write" as the first access line.

> >SASL [conn=18] Failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3
> >If I add world read to that file, the error goes away, but the init still
> >fails with the same error.
>
> Have you emerged cyrus-sasl with both berkdb and gdbm use flags
> enabled?

I did, but took gdbm out, and no more errors.

> >And some comments.
> >/var/lib/ldapi is /var/lib/run/ldapi
>
> What do you mean with this? The only place I can find /var/lib/ldapi
> is in 6.1.3 Service configuration, and I think the path is correct:

Ahh, it's /var/lib/run/ldapi in openldap 2.2, now I've gone back down to
stable 2.1.30 it's back to /var/lib/ldapi.

Now I'm stuck at creating an ldap service ticket.
Seems due to me having IPv6 support everywhere. I'm not actually using it, but
at 1am Monday morning, I really can't be arsed to turn it off :)

Cheers

--
Mike Williams

Mike Williams wrote:

>On Sunday 17 October 2004 20:18, Jose Gonzalez Gomez wrote:
>
>
>>>Oh, neat.
>>>I do have a question, or more precisely, a problem.
>>>
>>>
>> I understand that you've been following the HOWTO, haven't you?
>>
>>
>
>I have, and very informative it's been so far.
>
>
Glad to hear that :o)

>
>
>>>kadmin: kadm5_create_principal: ldap_add_s: default@home.gaima.co.uk
>>>(dn=cn=default@home.gaima.co.uk,ou=kerberos,dc=home,dc=gaima,dc=co,dc=uk)
>>>Insufficient access
>>>
>>>
>> You don't have access to perform the requested operation. Please,
>>confirm if you have been following the HOWTO so I can fix that. In order
>>to go on, you must either give permissions to the user you are using to
>>connect, or give write access to anonymous/unauthenticated users.
>>
>>
>
>Yep, apart from some versions being slightly newer.
>kadmin is in /usr/sbin, and requires root access to open /var/heimdal/m-key,
>so I'm using root.
>Got it, had to add "access to * by * write" as the first access line.
>
>
Be sure you take away that as soon as you secure the server.

>
>
>>>SASL [conn=18] Failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3
>>>If I add world read to that file, the error goes away, but the init still
>>>fails with the same error.
>>>
>>>
>> Have you emerged cyrus-sasl with both berkdb and gdbm use flags
>>enabled?
>>
>>
>
>I did, but took gdbm out, and no more errors.
>
>
I have taken out the gdbm and berkdb use flags, as I don't use them
in my setup.

>
>
>>>And some comments.
>>>/var/lib/ldapi is /var/lib/run/ldapi
>>>
>>>
>> What do you mean with this? The only place I can find /var/lib/ldapi
>>is in 6.1.3 Service configuration, and I think the path is correct:
>>
>>
>
>Ahh, it's /var/lib/run/ldapi in openldap 2.2, now I've gone back down to
>stable 2.1.30 it's back to /var/lib/ldapi.
>
>
Did you have any problems running 2.2? It's marked unstable in
Gentoo, but if you ask anything about 2.1 in the OpenLDAP list you get a
"move to 2.2 asap" almost inmediately.

>Now I'm stuck at creating an ldap service ticket.
>Seems due to me having IPv6 support everywhere. I'm not actually using it, but
>at 1am Monday morning, I really can't be arsed to turn it off :)
>
>
I had some problems until I deactivated IPv6 support, I think I
mention them in the introduction of the HOWTO. Anyway, make sure you
create the service ticket using the canonical name of the server
(hostname -f), make sure you make the service ticket accessible to the
LDAP server exporting it to a proper keytab with proper permissions, and
make sure the server knows about the keytab using KRB5_KTNAME.

>Cheers
>
>
>
Going to bed, here's 2am :o)

Best regards
Jose

--
gentoo-user@gentoo.org mailing list

On Monday 18 October 2004 01:19, Jose Gonzalez Gomez wrote:
> Did you have any problems running 2.2? It's marked unstable in
> Gentoo, but if you ask anything about 2.1 in the OpenLDAP list you get a
> "move to 2.2 asap" almost inmediately.

Nothing went horrible wrong, but as I'm only messing around and learning, it
wasn't exactly a good test.
I think the only thing holding Gentoo back is the dependancy on db-4.2

> I had some problems until I deactivated IPv6 support, I think I
> mention them in the introduction of the HOWTO. Anyway, make sure you
> create the service ticket using the canonical name of the server
> (hostname -f), make sure you make the service ticket accessible to the
> LDAP server exporting it to a proper keytab with proper permissions, and
> make sure the server knows about the keytab using KRB5_KTNAME.

OK, IPv6 gone, HOWTO finished.
But I'm still stuck in the same fashion :(

I can kinit over the network fine, I can do single sign on with ssh *on the
kerberos server*, yet everytime I try from client to server it fails :(

mike@sauron mike $ ssh -l kerb gandalf.home.gaima.co.uk -v
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
[snip]
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure (see text)
Server (krbtgt/CO.UK@HOME.GAIMA.CO.UK) unknown
[snip]
mike@sauron mike $ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: kerb@HOME.GAIMA.CO.UK

Issued Expires Principal
Oct 20 01:10:52 Oct 20 01:20:51 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK

gandalf root # ssh -l kerb kerberos.home.gaima.co.uk -v
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
[snip]
debug1: Authentications that can continue:
publickey,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
$ exit
gandalf root # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: kerb@HOME.GAIMA.CO.UK

Issued Expires Principal
Oct 20 01:08:21 Oct 20 01:18:21 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK
Oct 20 01:08:30 Oct 20 01:18:21
host/gandalf.home.gaima.co.uk@HOME.GAIMA.CO.UK


Server (krbtgt/CO.UK@HOME.GAIMA.CO.UK) unknown ??
Is that the server saying it's krbtgt/CO.UK@HOME.GAIMA.CO.UK, or the client
breaking?
I also get this:

mike@sauron mike $ ldapsearch -H ldap://gandalf.home.gaima.co.uk/ -x -b "" -s
base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM

mike@sauron mike $ ldapsearch -H ldap://gandalf.home.gaima.co.uk/ -b "" -s
base -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (Server (krbtgt/CO.UK@HOME.GAIMA.CO.UK)
unknown)

Snippet from krb5kdc.log
2004-10-20T01:37:00 TGS-REQ kerb@HOME.GAIMA.CO.UK from IPv4:192.168.22.246 for
krbtgt/CO.UK@HOME.GAIMA.CO.UK
2004-10-20T01:37:00 Server not found in database:
krbtgt/CO.UK@HOME.GAIMA.CO.UK: No such entry in the database
2004-10-20T01:37:00 sending 134 bytes to IPv4:192.168.22.246

??

--
Mike Williams

Mike Williams wrote:

>On Monday 18 October 2004 01:19, Jose Gonzalez Gomez wrote:
>
>
>> Did you have any problems running 2.2? It's marked unstable in
>>Gentoo, but if you ask anything about 2.1 in the OpenLDAP list you get a
>>"move to 2.2 asap" almost inmediately.
>>
>>
>
>Nothing went horrible wrong, but as I'm only messing around and learning, it
>wasn't exactly a good test.
>I think the only thing holding Gentoo back is the dependancy on db-4.2
>
>
So what's the problem with db-4.2?

>
>
>> I had some problems until I deactivated IPv6 support, I think I
>>mention them in the introduction of the HOWTO. Anyway, make sure you
>>create the service ticket using the canonical name of the server
>>(hostname -f), make sure you make the service ticket accessible to the
>>LDAP server exporting it to a proper keytab with proper permissions, and
>>make sure the server knows about the keytab using KRB5_KTNAME.
>>
>>
>
>OK, IPv6 gone, HOWTO finished.
>But I'm still stuck in the same fashion :(
>
>I can kinit over the network fine, I can do single sign on with ssh *on the
>kerberos server*, yet everytime I try from client to server it fails :(
>
>mike@sauron mike $ ssh -l kerb gandalf.home.gaima.co.uk -v
>OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
>[snip]
>debug1: Authentications that can continue:
>publickey,gssapi-with-mic,keyboard-interactive
>debug1: Next authentication method: gssapi-with-mic
>debug1: Miscellaneous failure (see text)
>Server (krbtgt/CO.UK@HOME.GAIMA.CO.UK) unknown
>[snip]
>mike@sauron mike $ klist
>Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: kerb@HOME.GAIMA.CO.UK
>
> Issued Expires Principal
>Oct 20 01:10:52 Oct 20 01:20:51 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK
>
>gandalf root # ssh -l kerb kerberos.home.gaima.co.uk -v
>OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
>[snip]
>debug1: Authentications that can continue:
>publickey,gssapi-with-mic,keyboard-interactive
>debug1: Next authentication method: gssapi-with-mic
>debug1: Authentication succeeded (gssapi-with-mic).
>debug1: channel 0: new [client-session]
>debug1: Entering interactive session.
>$ exit
>gandalf root # klist
>Credentials cache: FILE:/tmp/krb5cc_0
> Principal: kerb@HOME.GAIMA.CO.UK
>
> Issued Expires Principal
>Oct 20 01:08:21 Oct 20 01:18:21 krbtgt/HOME.GAIMA.CO.UK@HOME.GAIMA.CO.UK
>Oct 20 01:08:30 Oct 20 01:18:21
>host/gandalf.home.gaima.co.uk@HOME.GAIMA.CO.UK
>
>
>Server (krbtgt/CO.UK@HOME.GAIMA.CO.UK) unknown ??
>Is that the server saying it's krbtgt/CO.UK@HOME.GAIMA.CO.UK, or the client
>breaking?
>I also get this:
>
>mike@sauron mike $ ldapsearch -H ldap://gandalf.home.gaima.co.uk/ -x -b "" -s
>base -LLL supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: CRAM-MD5
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: NTLM
>
>mike@sauron mike $ ldapsearch -H ldap://gandalf.home.gaima.co.uk/ -b "" -s
>base -LLL supportedSASLMechanisms
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Local error (82)
> additional info: SASL(-1): generic failure: GSSAPI Error:
>Miscellaneous failure (see text) (Server (krbtgt/CO.UK@HOME.GAIMA.CO.UK)
>unknown)
>
>Snippet from krb5kdc.log
>2004-10-20T01:37:00 TGS-REQ kerb@HOME.GAIMA.CO.UK from IPv4:192.168.22.246 for
>krbtgt/CO.UK@HOME.GAIMA.CO.UK
>2004-10-20T01:37:00 Server not found in database:
>krbtgt/CO.UK@HOME.GAIMA.CO.UK: No such entry in the database
>2004-10-20T01:37:00 sending 134 bytes to IPv4:192.168.22.246
>
>??
>
>
Ok, let's see, from my knowledge, whenever you try to connect to a
kerberized server, that server searches for the canonical name of the
machine and then tries to locate a service ticket so it can authenticate
against the client (Kerberos uses a mutual authentication scheme), so
the only thing I can think of in your case is that you have some DNS
related problems. So could you please post the content of
/etc/resolv.conf, /etc/hosts and the output of hostname -f in both
gandalf and sauron?

Best regards
Jose

--
gentoo-user@gentoo.org mailing list

On Wednesday 20 October 2004 10:10, Jose Gonzalez Gomez wrote:
> >Nothing went horrible wrong, but as I'm only messing around and learning,
> > it wasn't exactly a good test.
> >I think the only thing holding Gentoo back is the dependancy on db-4.2
>
> So what's the problem with db-4.2?

I believe it was hard masked when I first went to OL-2.2, but now it seems to
be just ~x86, not sure why OL-2.2 is still hard masked though.
Think I might go back to 2.2, as the syncrepl stuff looks very cool.

> Ok, let's see, from my knowledge, whenever you try to connect to a
> kerberized server, that server searches for the canonical name of the
> machine and then tries to locate a service ticket so it can authenticate
> against the client (Kerberos uses a mutual authentication scheme), so
> the only thing I can think of in your case is that you have some DNS
> related problems. So could you please post the content of
> /etc/resolv.conf, /etc/hosts and the output of hostname -f in both
> gandalf and sauron?

Consider myself slapped around with a wet haddock.
I normally only ever do DNS properly, not using /etc/hosts, but for some
reason I had 2 entries there which could have caused the problem.
Now they're both gone, it works! Woo!

Thanks Jose.
I did find a couple of problems with the HOWTO.
The people example ldif file name doesn't match what was created, and what was
ldapadd'd. people.ldif was created, but example.ldif was added.
The last few examples (ldap access for sure), included your own dc, rather
than dc=example,dc=com, a bit confusing :)
For single sign on ssh, the one option you show is all you need.
I had to take the des3-hmac-sha1 encryption type out or /etc/krb5.conf, as
ktutil simple refused to accept it, even when I told it to use a different
type.
nssproxy becomes pamproxy in the ldap access file.
I needed a copy of /etc/openldap/ldap.conf with "TLS_REQCERT allow" in on
the client too. Self signed cert.

--
Mike Williams

>Consider myself slapped around with a wet haddock.
>I normally only ever do DNS properly, not using /etc/hosts, but for some
>reason I had 2 entries there which could have caused the problem.
>Now they're both gone, it works! Woo!
>
>Thanks Jose.
>
>
You're welcome... about those problems, that's what you get when
doing Gentoo (or any other work) too much time!! I often have such kind
of problems late at night just to wake up next morning and notice I was
doing something completely wrong :o)

By the way, welcome to the Kerberized world :o)

>I did find a couple of problems with the HOWTO.
>The people example ldif file name doesn't match what was created, and what was
>ldapadd'd. people.ldif was created, but example.ldif was added.
>The last few examples (ldap access for sure), included your own dc, rather
>than dc=example,dc=com, a bit confusing :)
>For single sign on ssh, the one option you show is all you need.
>I had to take the des3-hmac-sha1 encryption type out or /etc/krb5.conf, as
>ktutil simple refused to accept it, even when I told it to use a different
>type.
>nssproxy becomes pamproxy in the ldap access file.
>I needed a copy of /etc/openldap/ldap.conf with "TLS_REQCERT allow" in on
>the client too. Self signed cert.
>
>
>
Ok, I'll take this into account to include it in the next version,
thanks a lot

Best regards
Jose

--
gentoo-user@gentoo.org mailing list