Hello everyone,

For a couple of days I'm trying to make kerberos auth working... but so far no luck

so:

my setup:

SERVER - dns in place, domain example1.com

/etc/krb5.conf

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE1.COM = {
kdc = example1.com
admin_server = example1.com
}

[domain_realm]
.example1.com = EXAMPLE1.COM
example1.com = EXAMPLE1.COM

cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE1.COM *
*/admin *

cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EXAMPLE1.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab


kadmin.local -p r00t/admin -r EXAMPLE1.COM

addprinc -randkey host/srv1 <-> internal name of server
addprinc -randkey host/test-machine2 <-> internal name of client machine
ktadd -k /etc/krb5.keytab host/srv1
ktadd -k /etc/krb5.keytab host/test-machine2


kadmin.local -q list_principals
Authenticating as principal user1/admin@EXAMPLE1.COM with password.
K/M@EXAMPLE1.COM
r00t/admin@EXAMPLE1.COM
host/srv1@EXAMPLE1.COM
host/test-machine2@EXAMPLE1.COM
kadmin/admin@EXAMPLE1.COM
kadmin/changepw@EXAMPLE1.COM
kadmin/srv1@EXAMPLE1.COM
krbtgt/EXAMPLE1.COM@EXAMPLE1.COM
user1/admin@EXAMPLE1.COM


on test-machine2
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE1.COM = {
kdc = example1.com
admin_server = example1.com
}

[domain_realm]
.example1.com = EXAMPLE1.COM
example1.com = EXAMPLE1.COM

kinit user1/admin

kadmin addprinc -randkey host/test-machine2

kadmin ktadd -k /etc/krb5.keytab host/test-machine2


however ssh from test-machine2 to srv1 failed:

debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)


So....... am I doing something wrong ????????????

Though this discussion is in Ubuntu forum, http://ubuntuforums.org/showthread.php?t=794765, I'm not sure if this may help you but you can take a look into this discussion, maybe you get some help.

BTW, did you go through the docs on redhat website, http://docs.redhat.com/docs/en-US/Re..._Kerberos.html

Well, problem fixed:
looks like KERBEROS is very picky when it's about DNS settings: I've got some minor issues with my DNS , but now everything it's OK