LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page (Kerberos Setup) Pre-Auth failed/GSS-API ERROR
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-20-2010, 06:04 PM   #1
saial
LQ Newbie
 
Registered: Sep 2008
Distribution: debian lenny, ubuntu 10.04
Posts: 4

Rep: Reputation: 0
(Kerberos Setup) Pre-Auth failed/GSS-API ERROR

I'm setting up kerberos and I can't login with kadmin but I am getting tickets with kinit, my princs are valid, and my dns resolves with dig/ping, am I missing something?:

kadmin:
Code:
home-plug:/home/steven# kadmin
Authenticating as principal root/admin@SOUR-LAN.LOCAL with password.
Password for root/admin@SOUR-LAN.LOCAL: 
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
auth.log
Code:
Oct 20 22:18:13 home-plug kadmind[8935]: Seeding random number generator
Oct 20 22:18:20 home-plug krb5kdc[8778]: Interrupted system call - while selecting for network input(1)
Oct 20 22:18:20 home-plug krb5kdc[8778]: shutting down
Oct 20 22:18:20 home-plug krb5kdc[8939]: setting up network...
Oct 20 22:18:20 home-plug krb5kdc[8939]: skipping unrecognized local address family 17
Oct 20 22:18:20 home-plug krb5kdc[8939]: skipping unrecognized local address family 17
Oct 20 22:18:20 home-plug krb5kdc[8939]: listening on fd 7: udp 10.66.1.95.88
Oct 20 22:18:20 home-plug krb5kdc[8939]: listening on fd 8: udp 10.66.1.95.750
Oct 20 22:18:20 home-plug krb5kdc[8939]: listening on fd 9: udp fe80::50:43ff:fe10:7f1d%eth0.88
Oct 20 22:18:20 home-plug krb5kdc[8939]: listening on fd 10: udp fe80::50:43ff:fe10:7f1d%eth0.750
Oct 20 22:18:20 home-plug krb5kdc[8939]: set up 4 sockets
Oct 20 22:18:20 home-plug krb5kdc[8940]: commencing operation
Oct 20 22:18:20 home-plug krb524d[8943]: No dictionary file specified, continuing without one.
Oct 20 22:18:20 home-plug krb524d[8943]: service entry `krb524' not found, using 4444
Oct 20 22:18:30 home-plug krb5kdc[8940]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.66.1.95: NEEDED_PREAUTH: steven@HOME-LAN.LOCAL for kadmin/home-plug.home-lan.local@HOME-LAN.LOCAL, Additional pre-authentication required
Oct 20 22:18:33 home-plug krb5kdc[8940]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.66.1.95: ISSUE: authtime 1287613113, etypes {rep=18 tkt=18 ses=18}, steven@HOME-LAN.LOCAL for kadmin/home-plug.home-lan.local@HOME-LAN.LOCAL
Oct 20 22:21:25 home-plug krb5kdc[8940]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.66.1.95: NEEDED_PREAUTH: root/admin@HOME-LAN.LOCAL for krbtgt/HOME-LAN.LOCAL@HOME-LAN.LOCAL, Additional pre-authentication required
Oct 20 22:21:28 home-plug krb5kdc[8940]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.66.1.95: ISSUE: authtime 1287613288, etypes {rep=18 tkt=18 ses=18}, root/admin@HOME-LAN.LOCAL for krbtgt/HOME-LAN.LOCAL@HOME-LAN.LOCAL
Oct 20 22:21:41 home-plug krb5kdc[8940]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.66.1.95: NEEDED_PREAUTH: root/admin@HOME-LAN.LOCAL for kadmin/home-plug.home-lan.local@HOME-LAN.LOCAL, Additional pre-authentication required
Oct 20 22:21:45 home-plug krb5kdc[8940]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.66.1.95: ISSUE: authtime 1287613305, etypes {rep=18 tkt=18 ses=18}, root/admin@HOME-LAN.LOCAL for kadmin/home-plug.home-lan.local@HOME-LAN.LOCAL
krb5.conf
Code:
[libdefaults]
    default_realm = HOME-LAN.LOCAL

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#    default_tgs_enctypes = des3-hmac-sha1
#    default_tkt_enctypes = des3-hmac-sha1
#    permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    HOME-LAN.LOCAL = {
        kdc = home-plug.home-lan.local
        admin_server = home-plug.home-lan.local
    }
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu:88
        kdc = kerberos-1.mit.edu:88
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    MEDIA-LAB.MIT.EDU = {
        kdc = kerberos.media.mit.edu
        admin_server = kerberos.media.mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    MOOF.MIT.EDU = {
        kdc = three-headed-dogcow.mit.edu:88
        kdc = three-headed-dogcow-1.mit.edu:88
        admin_server = three-headed-dogcow.mit.edu
    }
    CSAIL.MIT.EDU = {
        kdc = kerberos-1.csail.mit.edu
        kdc = kerberos-2.csail.mit.edu
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
        krb524_server = krb524.csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    GNU.ORG = {
        kdc = kerberos.gnu.org
        kdc = kerberos-2.gnu.org
        kdc = kerberos-3.gnu.org
        admin_server = kerberos.gnu.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    GRATUITOUS.ORG = {
        kdc = kerberos.gratuitous.org
        admin_server = kerberos.gratuitous.org
    }
    DOOMCOM.ORG = {
        kdc = kerberos.doomcom.org
        admin_server = kerberos.doomcom.org
    }
    ANDREW.CMU.EDU = {
        kdc = vice28.fs.andrew.cmu.edu
        kdc = vice2.fs.andrew.cmu.edu
        kdc = vice11.fs.andrew.cmu.edu
        kdc = vice12.fs.andrew.cmu.edu
        admin_server = vice28.fs.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
    CS.CMU.EDU = {
        kdc = kerberos.cs.cmu.edu
        kdc = kerberos-2.srv.cs.cmu.edu
        admin_server = kerberos.cs.cmu.edu
    }
    DEMENTIA.ORG = {
        kdc = kerberos.dementia.org
        kdc = kerberos2.dementia.org
        admin_server = kerberos.dementia.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }

[domain_realm]
    .home-lan.local = HOME-LAN.LOCAL
    home-lan.local = HOME-LAN.LOCAL
    .home-plug.home-lan.local = HOME-LAN.LOCAL
    home-plug.home-lan.local = HOME-LAN.LOCAL
    .local = HOME-LAN.LOCAL
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU

[login]
    krb4_convert = true
    krb4_get_tickets = false
 
Old 10-21-2010, 09:49 AM   #2
saial
LQ Newbie
 
Registered: Sep 2008
Distribution: debian lenny, ubuntu 10.04
Posts: 4

Original Poster
Rep: Reputation: 0
I've disabled pre-auth, but I still don't understand why it was failing and I'd like to use it. Anybody know what I'm doing wrong here?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't mount nfs4 directories with Kerberos auth on CentOS 5 pinkunicorn Linux - General 0 10-19-2010 09:55 AM
CUPS printing from AD-integrated workstation to AD-print-shares using Kerberos Auth Linuxchuck Debian 2 07-19-2010 10:28 PM
Suse authuntication failed after installation of kerberos. u_Muhammad Linux - Security 2 06-06-2010 02:25 AM
Kerberos Auth IwantLINUX Linux - Newbie 2 05-06-2007 02:22 AM
LXer: LDAP replication with Kerberos auth and k5start LXer Syndicated Linux News 0 01-25-2007 02:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:34 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration