Hello everyone,
For a couple of days I'm trying to make kerberos auth working... but so far no luck
so:
my setup:
SERVER - dns in place, domain example1.com
/etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE1.COM = {
kdc = example1.com
admin_server = example1.com
}
[domain_realm]
.example1.com = EXAMPLE1.COM
example1.com = EXAMPLE1.COM
cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE1.COM *
*/admin *
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE1.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
kadmin.local -p r00t/admin -r EXAMPLE1.COM
addprinc -randkey host/srv1 <-> internal name of server
addprinc -randkey host/test-machine2 <-> internal name of client machine
ktadd -k /etc/krb5.keytab host/srv1
ktadd -k /etc/krb5.keytab host/test-machine2
kadmin.local -q list_principals
Authenticating as principal user1/admin@EXAMPLE1.COM with password.
K/M@EXAMPLE1.COM
r00t/admin@EXAMPLE1.COM
host/srv1@EXAMPLE1.COM
host/test-machine2@EXAMPLE1.COM
kadmin/admin@EXAMPLE1.COM
kadmin/changepw@EXAMPLE1.COM
kadmin/srv1@EXAMPLE1.COM
krbtgt/EXAMPLE1.COM@EXAMPLE1.COM
user1/admin@EXAMPLE1.COM
on test-machine2
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE1.COM = {
kdc = example1.com
admin_server = example1.com
}
[domain_realm]
.example1.com = EXAMPLE1.COM
example1.com = EXAMPLE1.COM
kinit user1/admin
kadmin addprinc -randkey host/test-machine2
kadmin ktadd -k /etc/krb5.keytab host/test-machine2
however ssh from test-machine2 to srv1 failed:
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)
So....... am I doing something wrong ????????????