Hallo:
I'm trying to configure SSH for accessing with kerberos. I try to configure a SSO.
The computer is joined to Active Directory. I can access with the user/pass from AD (using samba/winbind), but if I try to connect using kerberos, the error:
Server not found in kerberos database.
The server is CentOS 5.5, but also tried with RHEL 5.5.
Please, can any tell me what's wrong?
Thanks
==============================================================
Configuration
Domain: net
Realm: TEST.NET
User: usertom
Server ssh: testul0001.test.net
Client ssh: testul0001.test.net (connect to the same computer)
Domain controler: testgc01.test.net
==============================================================
1- File configuration
==============================================================
/etc/hosts
--------------------------------------------------------------
# Do not remove the following line, or various programs
# that require network functionality will fail.
10.16.137.224 testul0001.test.net testul0001
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
==============================================================
/etc/nsswitch.conf
--------------------------------------------------------------
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
==============================================================
/etc/samba/smb.conf
--------------------------------------------------------------
[global]
workgroup = TEST
realm = TEST.NET
server string = Samba Server Version %v
security = ADS
password server = testgc01.test.net
passdb backend = tdbsam
pam password change = Yes
use kerberos keytab = Yes
idmap backend = rid:TEST=10000-1000000
idmap uid = 10000-1000000
idmap gid = 10000-1000000
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
valid users = "@TEST\\Usu. de TESTUL0001"
read only = No
create mask = 0770
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
cups options = raw
[homes]
comment = Home Directories
browseable = No
[datos]
comment = Directorio Datos
path = /datos
volume = datos
==============================================================
/etc/krb5.conf
--------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
[realms]
TEST.NET = {
kdc = testgc01.test.net
admin_server = testgc01.test.net
default_domain = test.net
}
test.net = TEST.NET
.test.net = TEST.NET
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = no
}
==============================================================
/etc/pam.d/system-auth
--------------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth requinet pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
# Limitamos el acceso a los usuarios del grupo. Como tiene espacios, ponemos el sid, obtenido con wbinfo -n "Usu. de TESTUL0001"
auth sufficient pam_winbind.so cached_login use_first_pass require_membership_of=S-1-5-21-2013365486-1763137450-1452329845-72411
auth requinet pam_deny.so
account requinet pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account requinet pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password requinet pam_deny.so
session optional pam_keyinit.so revoke
session requinet pam_limits.so
session optional /lib/security/$ISA/pam_krb5.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session requinet pam_unix.so
==============================================================
2- Current tiquet
klist
klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_11183
Default principal:
usertom@TEST.NET
Valid starting Expires Service principal
01/14/11 14:30:20 01/15/11 00:30:23 krbtgt/TEST.NET@TEST.NET
renew until 01/15/11 14:30:20
Kerberos 4 ticket cache: /tmp/tkt11183
==============================================================
3- Content of krb5.keytab
sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/testul0001.test.net@TEST.NET
2 host/testul0001.test.net@TEST.NET
2 host/testul0001.test.net@TEST.NET
2 host/testul0001@TEST.NET
2 host/testul0001@TEST.NET
2 host/testul0001@TEST.NET
==============================================================
4- ssh connection to current host with current user. If not possible, don't ask password (no pubkey configunet).
ssh -vv testul0001.test.net -oPasswordAuthentication=no
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to testul0001.test.net [10.16.137.224] port 22.
debug1: Connection established.
debug1: identity file /home/TEST/usertom/.ssh/identity type -1
debug1: identity file /home/TEST/usertom/.ssh/id_rsa type -1
debug1: identity file /home/TEST/usertom/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 503/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'testul0001.test.net' is known and matches the RSA host key.
debug1: Found key in /home/TEST/usertom/.ssh/known_hosts:3
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/TEST/usertom/.ssh/identity ((nil))
debug2: key: /home/TEST/usertom/.ssh/id_rsa ((nil))
debug2: key: /home/TEST/usertom/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /home/TEST/usertom/.ssh/identity
debug1: Trying private key: /home/TEST/usertom/.ssh/id_rsa
debug1: Trying private key: /home/TEST/usertom/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).
Any suggestion?
ssh and kerberos error: Server not found in Kerberos database
