LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-14-2011, 08:18 AM   #1
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Rep: Reputation: 31
Unhappy ssh and kerberos error: Server not found in Kerberos database


Hallo:

I'm trying to configure SSH for accessing with kerberos. I try to configure a SSO.

The computer is joined to Active Directory. I can access with the user/pass from AD (using samba/winbind), but if I try to connect using kerberos, the error:
Server not found in kerberos database.

The server is CentOS 5.5, but also tried with RHEL 5.5.

Please, can any tell me what's wrong?

Thanks



==============================================================
Configuration
Domain: net
Realm: TEST.NET
User: usertom
Server ssh: testul0001.test.net
Client ssh: testul0001.test.net (connect to the same computer)
Domain controler: testgc01.test.net



==============================================================
1- File configuration



==============================================================
/etc/hosts
--------------------------------------------------------------
# Do not remove the following line, or various programs
# that require network functionality will fail.
10.16.137.224 testul0001.test.net testul0001
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6



==============================================================
/etc/nsswitch.conf
--------------------------------------------------------------
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files winbind
shadow: files winbind
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus




==============================================================
/etc/samba/smb.conf
--------------------------------------------------------------
[global]
workgroup = TEST
realm = TEST.NET
server string = Samba Server Version %v
security = ADS
password server = testgc01.test.net
passdb backend = tdbsam
pam password change = Yes
use kerberos keytab = Yes
idmap backend = rid:TEST=10000-1000000
idmap uid = 10000-1000000
idmap gid = 10000-1000000
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = Yes
valid users = "@TEST\\Usu. de TESTUL0001"
read only = No
create mask = 0770
directory mask = 0770
inherit permissions = Yes
inherit acls = Yes
map acl inherit = Yes
cups options = raw

[homes]
comment = Home Directories
browseable = No

[datos]
comment = Directorio Datos
path = /datos
volume = datos




==============================================================
/etc/krb5.conf
--------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TEST.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h

[realms]

TEST.NET = {
kdc = testgc01.test.net
admin_server = testgc01.test.net
default_domain = test.net
}

test.net = TEST.NET
.test.net = TEST.NET

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = no
}



==============================================================
/etc/pam.d/system-auth
--------------------------------------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth requinet pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
# Limitamos el acceso a los usuarios del grupo. Como tiene espacios, ponemos el sid, obtenido con wbinfo -n "Usu. de TESTUL0001"
auth sufficient pam_winbind.so cached_login use_first_pass require_membership_of=S-1-5-21-2013365486-1763137450-1452329845-72411
auth requinet pam_deny.so

account requinet pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account requinet pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password requinet pam_deny.so

session optional pam_keyinit.so revoke
session requinet pam_limits.so
session optional /lib/security/$ISA/pam_krb5.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session requinet pam_unix.so



==============================================================
2- Current tiquet
klist

klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_11183
Default principal: usertom@TEST.NET

Valid starting Expires Service principal
01/14/11 14:30:20 01/15/11 00:30:23 krbtgt/TEST.NET@TEST.NET
renew until 01/15/11 14:30:20


Kerberos 4 ticket cache: /tmp/tkt11183



==============================================================
3- Content of krb5.keytab
sudo klist -k

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/testul0001.test.net@TEST.NET
2 host/testul0001.test.net@TEST.NET
2 host/testul0001.test.net@TEST.NET
2 host/testul0001@TEST.NET
2 host/testul0001@TEST.NET
2 host/testul0001@TEST.NET



==============================================================
4- ssh connection to current host with current user. If not possible, don't ask password (no pubkey configunet).
ssh -vv testul0001.test.net -oPasswordAuthentication=no

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to testul0001.test.net [10.16.137.224] port 22.
debug1: Connection established.
debug1: identity file /home/TEST/usertom/.ssh/identity type -1
debug1: identity file /home/TEST/usertom/.ssh/id_rsa type -1
debug1: identity file /home/TEST/usertom/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 503/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'testul0001.test.net' is known and matches the RSA host key.
debug1: Found key in /home/TEST/usertom/.ssh/known_hosts:3
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/TEST/usertom/.ssh/identity ((nil))
debug2: key: /home/TEST/usertom/.ssh/id_rsa ((nil))
debug2: key: /home/TEST/usertom/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /home/TEST/usertom/.ssh/identity
debug1: Trying private key: /home/TEST/usertom/.ssh/id_rsa
debug1: Trying private key: /home/TEST/usertom/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).

Any suggestion?

Last edited by Felipe; 01-16-2011 at 02:52 PM.
 
Old 01-17-2011, 03:12 AM   #2
Felipe
Member
 
Registered: Oct 2006
Posts: 294

Original Poster
Rep: Reputation: 31
I forgot to say that I've create krb5.keytab with "net ads keytab create/add", not from Windows DC. I don't know if it's a problem with encryption algorithm...

If I create the account with sever account (net ads keytab create -P), the the error is different:
...
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
...

but the problem continues...


Any suggestion?

Thanks

Last edited by Felipe; 01-17-2011 at 03:35 AM.
 
  


Reply

Tags
kerberos


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
kinit(v5): Client not found in Kerberos database while getting initial credentials greensuman Linux - Software 0 12-22-2010 01:23 AM
SSH w/ Kerberos ibaniski Linux - Security 0 11-11-2010 08:44 AM
Kerberos and SSH l0rddarkf0rce Linux - Server 0 10-26-2008 04:50 PM
SSH and Kerberos l0rddarkf0rce Ubuntu 0 10-26-2008 02:30 AM
Kerberos database replication sarajevo Linux - Security 1 10-12-2007 07:56 PM


All times are GMT -5. The time now is 03:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration