pamkrbval: KDC policy rejects request for this entry
Richard Curtis
I am trying to get an HPUX 11i box to authenticate against our
active directory (Windows 2003r2) domain with kerberos but I am
getting nowhere fast.
As per the docs I have, I have created a user account in active
directory, then used "ktpass -princ
host/unix_client.d...@DOMAIN.HOST.COM -mapuser unix_lient
-pass <pass> -out c:\krb5.keytab"
The keytab looks fine when I used ktutil, but I cannot do a kinit... I
keep getting "KDC policy rejects request for this entry"
I am guessing this is more of a Windows/AD config issue, but thougt
someone here might have seen this?
cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.HOST.COM
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_type = 2
ticket_liftetime = 24000
#dns_lookup_kdc = true
[realms]
DOMAIN.HOST.COM = {
kdc = 2003_dc.domain.host.com
kpasswd_server = 2003_dc.domain.host.com:464
}
[domain_realm]
domain.host.com = DOMAIN.HOST.COM
.domain.host.com = DOMAIN.HOST.COM
[logging]
default = FILE:/var/adm/krb5lib.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kKDCmind.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
unix_client:/var/adm/syslog >pamkrbval -v
Validating the pam configuration files
---------- --- --- ------------- -----
Validating the /etc/pam.conf file
[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf
[PASS] : The validation of config file: /etc/pam.conf passed
[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
as libpam_updbe library is not configured
Validating the kerberos config file
---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed
Connecting to default Realm
---------- -- ------- -----
[LOG] : The default realm is : DOMAIN.HOST.COM
[LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
[LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
[LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
[PASS] : Default Realm is issuing tickets
Validating the keytab entry for the host service principal
---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host unix_client, aka unix_client.domain.host.com.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
Keytab entry
Principal: host
Host : unix_client.domain.host.com
Realm : DOMAIN.HOST.COM
Version : 23
[LOG] : Pinging KDC to verify whether
host/unix_client.d...@DOMAIN.HOST.COM exists
pamkrbval: KDC policy rejects request for this entry
[WARNING] : The keytab entry for the host service principal
host/unix_client.d...@DOMAIN.HOST.COM is invalid
[FAIL] : The keytab validation failed
Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
unix_client:/var/adm/syslog >ktutil -i
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 23 host/unix_clie...@DOMAIN.HOST.COM
ktutil:
ktutil: unix_client:/var/adm/syslog >
unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
host/unix_client.domain.host.com
kinit(v5): KDC policy rejects request while getting initial credentials
Thanks in advance for any help
Regards
Richard
Markus Moeller
assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based on
MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
only. Secondly did you change the password of the unix_client user ? If not
please try to change the password once and re-extract the keytab.
Markus
"Richard Curtis" <ricu...@gmail.com> wrote in message
news:5745a7060808261135s261...@mail.gmail.com...
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Douglas E. Engert
Richard Curtis wrote:
> Hi,
> I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
>
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/unix_client.d...@DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"
>
> I am guessing this is more of a Windows/AD config issue, but thougt
> someone here might have seen this?
Your krb5.conf is saying use DES-CBC-CRC
You did not specify -DesOnly on the ktpass,
so I bet the krb5.keytab has a RC4-HMAC-NT type key.
If the HP can use RC4, try without the default_*_enctypes
Do you really need the ccache_type = 2 also?
The kvno is 23, so you must have been trying this for a while.
Did the keytabs get out of sync?
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Richard Curtis
The client libraries are based on MIT Kerberos V5 1.3.5 release. The
KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
RFC 1510 of the IETF. This release of Kerberos Client is interoperable
with Microsoft Windows 2000 and 2003.
I will try tomorrow when I am back in the office by setting the
default_*_enctypes to RC4-HMAC... the strange thing is, the HP
configuration guide I am following has a sample krb5.conf and only
mentions DES... http://docs.hp.com/en/J4269-90076/index.html - there
is no mention of RC4 in the whole document.
I will try removing default_*_enctypes altogether aswell, and failing
that, will have a go with DEC encryption only..
If this turns out to be the solution, I will be over the moon... this
has been dragging on for some time :)
I will post back tomorrow with my results.. thanks for the replies so far guys.
Regards
Richard
On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua...@moeller.plus.com> wrote:
> Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
> assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based on
> MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
> only. Secondly did you change the password of the unix_client user ? If not
> please try to change the password once and re-extract the keytab.
>
> Markus
>
> "Richard Curtis" <ricu...@gmail.com> wrote in message
> news:5745a7060808261135s261...@mail.gmail.com...
>> Hi,
>> I am trying to get an HPUX 11i box to authenticate against our
>> active directory (Windows 2003r2) domain with kerberos but I am
>> getting nowhere fast.
>>
>> As per the docs I have, I have created a user account in active
>> directory, then used "ktpass -princ
>> host/unix_client.d...@DOMAIN.HOST.COM -mapuser unix_lient
>> -pass <pass> -out c:\krb5.keytab"
>> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
>> keep getting "KDC policy rejects request for this entry"
>>
>> I am guessing this is more of a Windows/AD config issue, but thougt
>> someone here might have seen this?
>>
ricu...@gmail.com
can narrow down the problem somewhat...
After changing the default_t*_enctypes to be "RC4-HMAC" (and also
removing the lines altogether), I still get the same error...
In the Windows security log on the domain controller, I have a Failure
Audit with a result code from the request of 0xC which from some
searching at Microsoft suggests:
Requested start time is later than end time
or Workstation login restrictions..
From a packet capture using Wireshark, the AS-REQ packet there is an
entry "till: 1970-01-01 00:00:00 (UTC)"
It looks as though the requested lifetime of the packet here is in the
past...
Any suggestions around that?
Regards
Richard
On 26 Aug, 20:32, "Richard Curtis" <ricur...@gmail.com> wrote:
> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>
> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
> with Microsoft Windows 2000 and 2003.
>
> I will try tomorrow when I am back in the office by setting the
> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
> configuration guide I am following has a sample krb5.conf and only
> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
> is no mention of RC4 in the whole document.
> I will try removing default_*_enctypes altogether aswell, and failing
> that, will have a go with DEC encryption only..
>
> If this turns out to be the solution, I will be over the moon... this
> has been dragging on for some time :)
>
> I will post back tomorrow with my results.. thanks for the replies so far guys.
>
> Regards
>
> Richard
>
>
>
> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua...@moeller.plus.com> wrote:
> > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
> > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based on
> > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
> > only. Secondly did you change the password of the unix_client user ? If not
> > please try to change the password once and re-extract the keytab.
>
> > Markus
>
> > "Richard Curtis" <ricur...@gmail.com> wrote in message
> >news:5745a7060808261135s261...@mail.gmail.com...
> >> Hi,
> >> I am trying to get an HPUX 11i box to authenticate against our
> >> active directory (Windows 2003r2) domain with kerberos but I am
> >> getting nowhere fast.
>
> >> As per the docs I have, I have created a user account in active
> >> directory, then used "ktpass -princ
> >> host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
> >> host/unix_client.domain.host....@DOMAIN.HOST.COM exists
> >> pamkrbval: KDC policy rejects request for this entry
> >> [WARNING] : The keytab entry for the host service principal
> >> host/unix_client.domain.host....@DOMAIN.HOST.COM is invalid
> >> [FAIL] : The keytab validation failed
>
> >> Validating the rc_host file for ownership
> >> -------- ------ ---- -------- ------ -----
> >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>
> >> unix_client:/var/adm/syslog >ktutil -i
> >> ktutil: rkt /etc/krb5.keytab
> >> ktutil: list
> >> slot KVNO Principal
> >> ---- ---- ---------------------------------------------------------------------
> >> 1 23 host/unix_client.dom...@DOMAIN.HOST.COM
> >> ktutil:
> >> ktutil: unix_client:/var/adm/syslog >
>
> >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> >> host/unix_client.domain.host.com
> >> kinit(v5): KDC policy rejects request while getting initial credentials
>
> >> Thanks in advance for any help
>
> >> Regards
>
> >> Richard
> >> ________________________________________________
> >> Kerberos mailing list Kerbe...@mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>
> > ________________________________________________
> > Kerberos mailing list Kerbe...@mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>
> - Show quoted text -
Markus Moeller
a kinit unix_client with the correct password ? Do you have the kvno binary
on the HP platform ? If so can you do a kvno
host/unix_client.domain.host.com and compare the number with the one in the
keytab ?
Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?
Regards
Markus
<ricu...@gmail.com> wrote in message
news:fb4cbb61-7eef-419a...@56g2000hsm.googlegroups.com...
Any suggestions around that?
Regards
Richard
________________________________________________
Douglas E. Engert
Markus Moeller wrote:
> Can you check that AD and your HP system are time synchronised ? Can you do
> a kinit unix_client with the correct password ? Do you have the kvno binary
> on the HP platform ? If so can you do a kvno
> host/unix_client.domain.host.com and compare the number with the one in the
> keytab ?
>
> Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?
This could also be something to do with the use of the 197001010000Z
in the till field if the AS_REQ This was not in RFC 1510, but is in 4120.
It looks like the HP is adding this. AD 2003 may not accept it. I don't
have any client test code to see if this is an AD problem.
>
> Regards
> Markus
>
>
> <ricu...@gmail.com> wrote in message
> news:fb4cbb61-7eef-419a...@56g2000hsm.googlegroups.com...
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
Richard Curtis
I have removed all the lifetime entries and tried with having enctypes
of just RC4-HMAC, and also having RC4-HMAC, DES-CBC-CRC
One thing about the time differences.. the HPUX host is on GMT, but
the AD host is on BST... so the clocks are both 1 hour apart (exactly
1 hour)..
Unfortunately the UNIX hosts ave to remain on GMT year round.
I assume the actual timezone shift is not an issue here ?
kinit unix_client prompts for the password then returns with "KDC
policy rejects request while getting initial credentials"
On Wed, Aug 27, 2008 at 7:30 PM, Markus Moeller <hua...@moeller.plus.com> wrote:
> Can you check that AD and your HP system are time synchronised ? Can you do
> a kinit unix_client with the correct password ? Do you have the kvno binary
> on the HP platform ? If so can you do a kvno
> host/unix_client.domain.host.com and compare the number with the one in the
> keytab ?
>
> Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?
>
> Regards
> Markus
>
>
> <ricu...@gmail.com> wrote in message
> news:fb4cbb61-7eef-419a...@56g2000hsm.googlegroups.com...
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Tom Yu
> Hi,
> I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
>
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/unix_client.d...@DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"
It may be that the AD server is forbidding the use of the
"host/unix_client.domain.host.com" principal as a client principal.
ricu...@gmail.com
Kerberos issue (not directly)..
Our windows admins have enabled enhanced logging of the KDC service in
Windows, and now instead of Just a straight "0xC: KDC Policy rejects
this request", we still get the 0xC error, but we get enhanced info
stating "NT Status: STATUS_INVALID_WORKSTATION (0xc0000070)"
If anyone want to know the registry keys changed to get this logging,
it was HKLM\SYSTEM\CurrentControlSet\Services\KDC, then kdcdebuglevel
(DWORD, value=0x10000000) and kdcextraloglevel (DWORD, 0x00000004)
It looks as though the request is being rejected because AD expects to
find some form of workstation entry for this host. I thought the
ktpass side should cater for this, but obvjously I am wrong.
I will continue to investigate this with our Windows admins and will
post back if I fix it.
On 27 Aug, 20:49, Tom Yu <t...@MIT.EDU> wrote:
> "Richard Curtis" <ricur...@gmail.com> writes:
> > Hi,
> > I am trying to get an HPUX 11i box to authenticate against our
> > active directory (Windows 2003r2) domain with kerberos but I am
> > getting nowhere fast.
>
> > As per the docs I have, I have created a user account in active
> > directory, then used "ktpass -princ
> > host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient