netbsd-help: Re: kerberos with NetBSD 2.0

Subject: Re: kerberos with NetBSD 2.0
To: Jukka Salmi <j+nbsd@2005.salmi.ch>
From: Thierry Lacoste <th.lacoste@wanadoo.fr>
List: netbsd-help
Date: 07/11/2005 14:24:22
On Monday 11 July 2005 13:05, Jukka Salmi wrote:
> Thierry Lacoste --> netbsd-help (2005-07-11 12:31:59 +0200):
> > I installed an apache server on 2.0. with SSL and mod_auth_kerb.
> > I also installed pure-ftpd so that authors can upload their web pages.
> > My plan is to make pure-ftpd use kerberos authentication and
> > local identification (authors will have a local account with their home
> > directory inside the directory  exported by apache).
> > The problem is that I can't even su or login:
> >
> > $ su - lacostet
> > lacostet@MIAGE.UNIV-PARIS12.FR's Password:
> > su: krb5_verify_user: failed to find
> > host/pegase.miage.univ-paris12.fr@MIAGE.UNIV-PARIS12.FR in keytab
> > FILE:/etc/krb5.keytab
>
> What does `ktutil list' tell?
$ /usr/sbin/ktutil list
FILE:/etc/krb5.keytab:

Vno  Type         Principal
  1  des-cbc-crc  host/pegase.miage.univ-paris12.fr@MIAGE.UNIV-PARIS12.FR

ktutil: krb5_kt_start_seq_get krb4:/etc/srvtab: open(/etc/srvtab): No such 
file or directory

Maybe I should have said that I'm authenticating against Active Directory;
is it worth testing with an Heimdal server running on BSD?
I'm seriously planning to replace AD with Samba+LDAP+Kerberos on BSD
but for the moment I'm stuck with AD :(
>
> > kinit works:
> >
> > $ kinit lacostet
> > lacostet@MIAGE.UNIV-PARIS12.FR's Password:
> > kinit: NOTICE: ticket renewable lifetime is 1 week
> > kinit: converting creds: Cannot contact any KDC for requested realm
>
> If you don't use Kerberos IV you should probably set
> `krb4_get_tickets = false' in your krb5.conf.
Done.
>
> > $ klist
> > Credentials cache: FILE:/tmp/krb5cc_1000
> >         Principal: lacostet@MIAGE.UNIV-PARIS12.FR
> >
> >   Issued           Expires          Principal
> > Jul 11 12:07:03  Jul 11 22:07:03
> > krbtgt/MIAGE.UNIV-PARIS12.FR@MIAGE.UNIV-PARIS12.FR
> > Jul 11 12:07:03  Jul 11 22:07:03
> > krbtgt/MIAGE.UNIV-PARIS12.FR@MIAGE.UNIV-PARIS12.FR
>
> Twice? Hmm...
Well now I have
$ klist
Credentials cache: FILE:/tmp/krb5cc_1004
        Principal: lacostet@MIAGE.UNIV-PARIS12.FR

  Issued           Expires          Principal                                   
Jul 11 14:19:04  Jul 12 00:19:04  
krbtgt/MIAGE.UNIV-PARIS12.FR@MIAGE.UNIV-PARIS12.FR

   V4-ticket file: /tmp/tkt1004
klist: No ticket file (tf_util)

Regards,
Thierry.