Subject: Re: Kerberos testing... success,but... :-)
To: None <joda@pdc.kth.se>
From: Pete Vickers <pete.vickers@uk.adtranz.com>
List: tech-net
Date: 01/14/2001 22:57:59
> "Pete Vickers" <pete.vickers@uk.adtranz.com> writes:
>
>> |[lib_defaults]
>
>Is this verbatim? The section is called `libdefaults'. But I don't
>think this is why it's failing.
>
>/Johan

Ahh, wise words... I've ammended the typo [lib_default] -> [libdefault], and now
everything works.

UKPV0001 can telnet/login successfully, and then:

% klist -v

Credentials cache: FILE:/tmp/krb5cc_1000.ttyp0
        Principal: ukpv0001@TRANSTEST
    Cache version: 4

Server: krbtgt/TRANSTEST@TRANSTEST
Ticket etype: des-cbc-crc
Auth time:  Jan 14 21:56:58 2001
End time:   Jan 15 07:56:58 2001
Ticket flags: initial, pre-authenticated
Addresses: IPv4:172.16.96.155, IPv6:::1, IPv4:127.0.0.1

Server: host/ukdews0001.transtest@TRANSTEST
Ticket etype: des-cbc-crc
Auth time:  Jan 14 21:56:58 2001
End time:   Jan 15 07:56:58 2001
Ticket flags: pre-authenticated
Addresses: IPv4:172.16.96.155, IPv6:::1, IPv4:127.0.0.1

%

thanks for the assistance. I guess NetBSD/heimdal can now boast proven "Win2k
kerberos" compatability...if anyone was interested.

p.s. how about SSH login authentication via Kerberos ?
man sshd states:

"...
 KerberosAuthentication
             Specifies whether Kerberos authentication is allowed.  This can
             be in the form of a Kerberos ticket, or if PasswordAuthentication
             is yes, the password provided by the user will be validated
             through the Kerberos KDC.  To use this option, the server needs a
             Kerberos servtab which allows the verification of the KDC's iden-
             tity.  Default is ``yes''.

     KerberosOrLocalPasswd
             If set then if password authentication through Kerberos fails
             then the password will be validated via any additional local
             mechanism such as /etc/passwd.  Default is ``yes''.
..."

presumably the "Kerberos servtab" is /etc/krb5.keytab which I already have ?
and "grep erberos /etc/sshd.conf" confirms:

# To change Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

but an attempted ssh login is only successfull if I use the local password, not
the kerberos one. Also a packet dump reveals that no attempt is made to contact
the kdc ?

no doubt I'm doing something stupid again... any ideas ?


Pete