ey
Ik ben bezig met een migratie van MIT naar Heimdal. Ik wil op heimdal over omdat de MIT implementatie van Kerberos in de VS gemaakt wordt en daar is een export wet op encryptie software die het een en ander verbiedt. Hier heeft Heimdal geen last van omdat het in Zweden gemaakt wordt.
Goed wat is het probleem:
Ik heb een heimdal server op mijn FreeBSD server gezet en deze goed geconfigureerd (nog niet helemaal denk ik
) en ik heb 1 client op het moment aan deze server hangen. Als ik mijn ticket nu wil op vragen dan gaat dat goed:
monster% kinit
matthijs@CACHOLONG.NL's Password:
monster% klist
Credentials cache: FILE:/tmp/krb5cc_1002
Principal: matthijs@CACHOLONG.NL
Issued Expires Principal
Jan 25 22:52:45 Jan 26 08:51:21 krbtgt/CACHOLONG.NL@CACHOLONG.NL
monster%
Zoals je ziet gaat het verkrijgen van een ticket goed. Probeer ik nu met ssh naar mijn server te ssh'en met behulp van het ticket dan gaat dat niet lukken en vraagt hij als nog om een password.
Wat ik in de logs zie is het volgende:
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 146 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 138 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 126 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/NL@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/NL@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 125 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 146 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 138 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 126 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/NL@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/NL@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 125 bytes to IPv4:192.168.0.9
2004-01-25T22:55:01 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:01 Server not found in database: krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:01 sending 146 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 138 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ORG@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 126 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/NL@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/NL@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 125 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/ACTIVE2.HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 146 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/HOMELINUX.ORG@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/HOMELINUX.ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 138 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/ORG@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/ORG@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 126 bytes to IPv4:192.168.0.9
2004-01-25T22:55:02 TGS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.9 for krbtgt/NL@CACHOLONG.NL
2004-01-25T22:55:02 Server not found in database: krbtgt/NL@CACHOLONG.NL: No such entry in the database
2004-01-25T22:55:02 sending 125 bytes to IPv4:192.168.0.9
2004-01-25T22:55:10 AS-REQ matthijs@CACHOLONG.NL from IPv4:192.168.0.1 for krbtgt/CACHOLONG.NL@CACHOLONG.NL
2004-01-25T22:55:10 Using des3-cbc-sha1/des3-cbc-sha1
2004-01-25T22:55:10 Requested flags: renewable, proxiable, forwardable
2004-01-25T22:55:10 sending 661 bytes to IPv4:192.168.0.1
Goed nou heb ik ssh en sshd ook lopen debuggen om te kijken wat het probleem kan zijn en voor ssh krijg ik het volgende:
<knip>
debug1: Miscellaneous failure
Server not found in Kerberos database
debug1: Miscellaneous failure
Server not found in Kerberos database
<knip>
En van de ssh server krijg ik het volgende:
debug1: userauth-request for user matthijs service ssh-connection method gssapi
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi
debug3: mm_request_send entering: type 37
debug3: monitor_read: checking request 37
debug1: Miscellaneous failure (see text)
unable to find realm of host
debug3: mm_request_send entering: type 38
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 38
debug3: mm_request_receive entering
Failed gssapi for matthijs from 192.168.0.9 port 35355 ssh2
debug1: userauth-request for user matthijs service ssh-connection method gssapi
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi
Failed gssapi for matthijs from 192.168.0.9 port 35355 ssh2
Nu mijn configuratie nog (deze is gelijk op de server en client:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| [appdefaults]
forwardable = true
proxiable = true
ticket_lifetime = 10 hours
renew_lifetime = 1 week
no-addresses = false
[libdefaults]
default_realm = CACHOLONG.NL
clockskew = 300
kdc_timesync = 1
forwardable = true
proxiable = true
ticket_lifetime = 10 hours
renew_lifetime = 1 week
v4_name_convert = false
default_keytab_name = FILE:/etc/krb5.keytab
warn_pwexpire = 1 week
krb4_get_tickets = false
[realms]
CACHOLONG.NL = {
kdc = router.cacholong.nl
admin_server = router.cacholong.nl
kpasswd_server = router.cacholong.nl
v4_instance_convert = false
v4_name_convert = false
}
[domain_realm]
.cacholong.nl = CACHOLONG.NL
[login]
krb4_convert = false
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/heimdal/kdc.log
admin_server = FILE:/var/log/heimdal/admin.log
default = FILE:/var/log/heimdal/default.log |
Misschien iemand die weet hoe dit op te lossen ?
Ik ben ook net veranderd van domain (active2.homelinux.org -> cacholong.nl) misschien dat daar de problemen uit voortkomen.
:strip_icc():strip_exif()/u/31199/goticon.jpg?f=community)