Re: Kerberos authenticatino and ldap authorization



there are many difficulties and YES there is the documentation
on FreeBSD handbook but it does not helped me so much I Still ahve difficulties.

I isntalled MIT krb5 also and I Am using kadmin from MIT
to manage krb5 server.


First problem

kadmin: ktadd -k /etc/krb5.keytab host/host.domain
kadmin: Unsupported key table format version number while adding key to keytab

I can't undertand this message i touched /etc/krb5.keytab
but via kadmin it is unable to export the krb5 key I added before
with

addprinc -randkey host/host.domain

i also chmod 777 krb5.keytab nothing to do

at the end I exported it from the kdc and copied it by hand in
/etc/krb5.keytab on my client FreeBSD box, but I do not know
if in this way it will work.

anyway now I have another problem.
I am not able to configure ssh to login via kerberos.

I tryed everything

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

Then I changed /etc/pam.d/sshd

# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so
session required pam_permit.so

# password
password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass


and ssh won't authenticate via kerberos:

Mar 7 10:27:24 bastionbox1 sshd[1019]: Invalid user myself from 131.x.y.z
Mar 7 10:27:33 bastionbox1 sshd[1019]: error: PAM: authentication error for illegal user myself from mylapdop.domain


I must miss something I do not know what...

Actually I do not think this scenario on BSD users is commonly used,
and I Cannot find documentation to help myself, anyway I need this scenario that was implemented on Linux before.
I do not want to use Linux anyway for this porpouse (bastion SSH
box for public login via krb5/ldap)
At the end anyway the scenario needs to be krb5 for authentication
and LDAP for authorization

For now I am not able to authenticate via krb5

any hints ?

thanks

Rick


On Tue, 6 Mar 2007, Tillman Hodgson wrote:

On Tue, Mar 06, 2007 at 10:07:57AM -0700, RJ45 wrote:
for example I would like to installa MIT krb5 implementation from ports
instead of using heidmal default this because the kerberos server
on my network is a MIT server and I can't use kadmin on FreeBSD
to administrer the kerberos server remotely using heidmal implementation.
Anyone has experience of MIT krb5 implementation on FreeBSD ?

The handbook has a chapter on setting up Kerberos, albeit focused on Heimdal.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html

In section 14.8.6 it notes that the kadmin protocol differs between
Kerberos implementations -- you have to use the MIT kadmin to administer
a remote MIT KDC.

Other than the kadmin bits (which are fairly different between the two
but isn't used by end-users anyway), it's pretty much transparent to a
Kerberos-enabled workstation which implementation it's using. I
typically install both (to different paths to avoid file conflicts)
because I like using the newest Heimdal rather than the one in base and
also because the included client applications differ. For example, MIT
has Kerberos rsh whereas the base Heimdal doesn't for some of the
platforms that I use.

If you run into any specific issues when setting it up, please post back
to the list and cc me and I'll give you a hand.

-T


--
"I once bought a cellphone that had a little sticker on the box that said
'DO NOT EAT PACKAGING MATERIAL'. There went another freebie snack at the
office."
- A.S.R. quote (Andreas "Buzh" Skau)
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Kerberos authenticatino and ldap authorization
    ... to administrer the kerberos server remotely using heidmal implementation. ... Anyone has experience of MIT krb5 implementation on FreeBSD? ... In section 14.8.6 it notes that the kadmin protocol differs between ...
    (freebsd-questions)
  • Re: NIS => Kerberos/LDAP Migration
    ... and we use MIT Kerberos on Linux. ... heimdal-dev is installed, but won't compile when krb5-dev is installed. ... My thoughts on why it is not working is that the kadmin protocols from ...
    (comp.protocols.kerberos)
  • Re: Windows 2008 Trust To MIT Kerberos Server
    ... Windows then obtains a service ticket from the MIT realm with the forwarded and forwardable flags set ... With that TGT from the MIT realm, Windows is now able to obtain an LDAP service ticket from Active Directory ... I'm not a Kerberos expert like some, but I'm fairly sure this is a pretty accurate representation of how this process works. ... I have setup a trust between an Active Directory Domain and a MIT Kerberos Domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problems using gssapi authentication from FreeBSD to Linux machines
    ... work between a FreeBSD host and a Linux host. ... STABLE code on the FreeBSD box, I've got forwardable Kerberos tokens ... but I can't get the Linux box to accept the Kerberos ...
    (FreeBSD-Security)
  • Re: Problems using gssapi authentication from FreeBSD to Linux machines
    ... work between a FreeBSD host and a Linux host. ... STABLE code on the FreeBSD box, I've got forwardable Kerberos tokens ... but I can't get the Linux box to accept the Kerberos ...
    (FreeBSD-Security)