LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-20-2012, 10:12 AM   #1
derekmapge
LQ Newbie
 
Registered: Nov 2009
Posts: 6

Rep: Reputation: Disabled
Kerberos keytab and Virtual IPs


Hi All,

I use kerberos and SSSD for Active Directory authentication for our CentOS6 hosts.
We also use GSSAPI for SSH to delegate authentication with the kerberos ticket so we don't need to use SSH keys.

The issue I am running into is if I ssh to the hostname, passwordless authentication works great using GSSAPI. If I ssh to a virtual IP on the server GSSAPI complains that the host is not in the kerberos database.

I also have separate/different A records for my Virtual IP's.

This is my original keytab.
# Note I have replaced my real domain name with MYDOMAIN for security reasons.

$ sudo klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (arcfour-hmac)

I have tried adding entries to the keytab using ktutil
for example: add_entry -key -p host/sql01.u.m4.mydomain.com -k 2 -e arcfour-hmac

As you can see I have tried every combination of this.
Note sql01.u.m4.mydomain.com is on the same system as m4deploy01.m4.mydomain.com Just a different A record pointing to a virtual IP on the system.

I have also added an Active Directory computer called "sql01" Just like I have "m4deploy01" in active directory.

$ sudo klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/m4deploy01.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/M4DEPLOY01@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 M4DEPLOY01$@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/*.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/*.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/*.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/*@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/*@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/*@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/*$@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/*$@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/*$@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/*.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/*.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/*.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/sql01.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/sql01.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 host/sql01.u.m4.mydomain.com@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/SQL01@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 host/SQL01@RHELM.MYDOMAIN.COM (arcfour-hmac)
2 host/SQL01@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 SQL01$@RHELM.MYDOMAIN.COM (des-cbc-crc)
2 SQL01$@RHELM.MYDOMAIN.COM (des-cbc-md5)
2 SQL01$@RHELM.MYDOMAIN.COM (arcfour-hmac)

Does anyone know how I can make this work. We really want to get away from ssh keys.

Addition information:
~$ rpm -qa | egrep 'krb|sssd'
sssd-client-1.8.0-32.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.9-33.el6_3.2.x86_64
krb5-devel-1.9-33.el6_3.2.x86_64
python-krbV-1.0.90-3.el6.x86_64
sssd-1.8.0-32.el6.x86_64
krb5-workstation-1.9-33.el6_3.2.x86_64

uname -a
2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/redhat-release
CentOS release 6.3 (Final)


Thank you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How does the krb5.keytab get updated after a net ads keytab create - U ?? MeeLee Linux - Software 0 07-03-2012 10:11 AM
Kerberos - Apache authentication: krb5.keytab version issues MeeLee Linux - Security 1 06-29-2012 07:58 AM
virtual ips on same server kitek Linux - Networking 4 07-23-2011 07:02 PM
Virtual IPs and Postfix SMTP msound Linux - Server 7 10-30-2008 02:22 AM
Simulating multiple virtual IPs. vsg123 Linux - Networking 2 07-17-2003 01:06 PM


All times are GMT -5. The time now is 02:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration