Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Kerberos Single sign on not working
368 views
Skip to first unread message
kannan rbk
May 27, 2013, 4:02:01 PM5/27/13
to kerb...@mit.edu
Dear team,
I am using Kerberos 5. I configured single sign on in ssh. I had a ticket
but I cannot login without password.
I changed "GSSAPIAuthentication yes" in sshd_config and
"GSSAPIAuthentication yes,GSSDelegateCredentials yes" in ssh_config.
Error Trace From "ssh -v"
Cannot connect any kdc server
It's repeated 3 times. In Kerberos server log, it requests TGS request 4
times. I am trying to ssh centos machine from Ubuntu. Kinit is working
fine. I am able to login without password from centos to Ubuntu.
Please help me.
Regards,
Bharathi Kannan R
--
Regards,
Bharathikannan R
I am using Kerberos 5. I configured single sign on in ssh. I had a ticket
but I cannot login without password.
I changed "GSSAPIAuthentication yes" in sshd_config and
"GSSAPIAuthentication yes,GSSDelegateCredentials yes" in ssh_config.
Error Trace From "ssh -v"
Cannot connect any kdc server
It's repeated 3 times. In Kerberos server log, it requests TGS request 4
times. I am trying to ssh centos machine from Ubuntu. Kinit is working
fine. I am able to login without password from centos to Ubuntu.
Please help me.
Regards,
Bharathi Kannan R
--
Regards,
Bharathikannan R
Greg Hudson
May 27, 2013, 8:41:21 PM5/27/13
to kannan rbk, kerb...@mit.edu
I don't know what's wrong, but I have some ideas for gathering more
information. From what you've posted, it appears that:
1. kinit can send an AS requests to the realm's KDC (because kinit works)
2. kinit can receive an AS reply from the realm's KDC (because kinit works)
3. ssh can send a TGS request to the realm's KDC (because the request
appears in the log)
4. ssh cannot receive a TGS reply from the realm's KDC (because of the
error message in the ssh -v output).
Some things which might help determine what's wrong:
* Set the KRB5_TRACE environment variable to a filename before running
kinit and then ssh. Comparing the resulting trace output may determine
if ssh is somehow behaving differently from kinit.
* Run "kvno host/remote-hostname" to see if you can successfully make
TGS requests from a program other than ssh.
information. From what you've posted, it appears that:
1. kinit can send an AS requests to the realm's KDC (because kinit works)
2. kinit can receive an AS reply from the realm's KDC (because kinit works)
3. ssh can send a TGS request to the realm's KDC (because the request
appears in the log)
4. ssh cannot receive a TGS reply from the realm's KDC (because of the
error message in the ssh -v output).
Some things which might help determine what's wrong:
* Set the KRB5_TRACE environment variable to a filename before running
kinit and then ssh. Comparing the resulting trace output may determine
if ssh is somehow behaving differently from kinit.
* Run "kvno host/remote-hostname" to see if you can successfully make
TGS requests from a program other than ssh.
kannan rbk
May 28, 2013, 12:19:14 AM5/28/13
to Greg Hudson, kerb...@mit.edu
Hi,
I think i am little short on the problem. Thanks for your useful
debugging info. I am trying to connect the host "kannan" but in kerberos
log it tries to connect "dineshbabu". I ping the host address "dineshbabu"
it was not resolved. I also added the host entry for "kannan" /etc/hosts.
Here is the kerberos trace log
Getting credentials ku...@ZMEDIA.ULTRASOUND.COM -> host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM using ccache
FILE:/tmp/krb5cc_845_F19364
Retrieving ku...@ZMEDIA.ULTRASOUND.COM -> host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM from
FILE:/tmp/krb5cc_845_F19364 with result: -1765328243/Matching credential
not found
Retrieving ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM from
FILE:/tmp/krb5cc_845_F19364 with result: 0/success
Found cached TGT for service realm: ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM
Requesting tickets for host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM, referrals on
Generated subkey for TGS request: aes256-cts/E32A
etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
rc4-hmac
Sending request (784 bytes) to ZMEDIA.ULTRASOUND.COM
Sending initial UDP request to dgram 192.168.15.201:88
Received answer from dgram 192.168.15.201:88
Response was not from master KDC
TGS reply is for ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM with session key aes256-cts/8082
TGS request result: 0/success
Removing ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM from FILE:/tmp/krb5cc_845_F19364
Storing ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM in FILE:/tmp/krb5cc_845_F19364
Following referral TGT krbtgt/ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM
Requesting tickets for host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM, referrals on
Generated subkey for TGS request: aes256-cts/91E3
etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
rc4-hmac
Sending request (804 bytes) to ZMEDIA.ULTRASOUND.COM
Sending initial UDP request to dgram 192.168.15.201:88
Received answer from dgram 192.168.15.201:88
Response was not from master KDC
TGS reply is for ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM with session key aes256-cts/C121
TGS request result: 0/success
Regards,
Bharathi kannan R
--
Regards,
Bharathikannan R
I think i am little short on the problem. Thanks for your useful
debugging info. I am trying to connect the host "kannan" but in kerberos
log it tries to connect "dineshbabu". I ping the host address "dineshbabu"
it was not resolved. I also added the host entry for "kannan" /etc/hosts.
Here is the kerberos trace log
Getting credentials ku...@ZMEDIA.ULTRASOUND.COM -> host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM using ccache
FILE:/tmp/krb5cc_845_F19364
Retrieving ku...@ZMEDIA.ULTRASOUND.COM -> host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM from
FILE:/tmp/krb5cc_845_F19364 with result: -1765328243/Matching credential
not found
Retrieving ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM from
FILE:/tmp/krb5cc_845_F19364 with result: 0/success
Found cached TGT for service realm: ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM
Requesting tickets for host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM, referrals on
Generated subkey for TGS request: aes256-cts/E32A
etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
rc4-hmac
Sending request (784 bytes) to ZMEDIA.ULTRASOUND.COM
Sending initial UDP request to dgram 192.168.15.201:88
Received answer from dgram 192.168.15.201:88
Response was not from master KDC
TGS reply is for ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM with session key aes256-cts/8082
TGS request result: 0/success
Removing ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM from FILE:/tmp/krb5cc_845_F19364
Storing ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM in FILE:/tmp/krb5cc_845_F19364
Following referral TGT krbtgt/ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM
Requesting tickets for host/
dineshbabu.zmedi...@ZMEDIA.ULTRASOUND.COM, referrals on
Generated subkey for TGS request: aes256-cts/91E3
etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1,
rc4-hmac
Sending request (804 bytes) to ZMEDIA.ULTRASOUND.COM
Sending initial UDP request to dgram 192.168.15.201:88
Received answer from dgram 192.168.15.201:88
Response was not from master KDC
TGS reply is for ku...@ZMEDIA.ULTRASOUND.COM -> krbtgt/
ZMEDIA.ULT...@ZMEDIA.ULTRASOUND.COM with session key aes256-cts/C121
TGS request result: 0/success
Regards,
Bharathi kannan R
Regards,
Bharathikannan R
kannan rbk
May 29, 2013, 1:12:28 AM5/29/13
to Greg Hudson, kerb...@mit.edu
Hi,
Thank you so much for your precious time. I mapped the ip address to
"kannan" in our dns server. Now , it's working fine.
Regards ,
Bharathikannan R
On Tue, May 28, 2013 at 10:55 PM, Greg Hudson <ghu...@mit.edu> wrote:
> On 05/28/2013 12:19 AM, kannan rbk wrote:
> > I think i am little short on the problem. Thanks for your useful
> > debugging info. I am trying to connect the host "kannan" but in kerberos
> > log it tries to connect "dineshbabu".
>
> When we convert a hostname to a Kerberos principal, we canonicalize the
> hostname using name resolution: first by performing a forward lookup,
> and then by performing a reverse lookup of the resulting address. Here
> is an example:
>
> $ host ptr-mismatch.kerberos.org
> ptr-mismatch.kerberos.org is an alias for www.kerberos.org.
> www.kerberos.org has address 18.9.62.44
>
> $ host 18.9.62.44
> 44.62.9.18.in-addr.arpa domain name pointer KERBEROS-ORG.MIT.EDU.
>
> $ kvno -S host ptr-mismatch.kerberos.org
> host/kerberos-o...@ATHENA.MIT.EDU: kvno = 4
>
> It seems that on your network, "kannan" canonicalizes to "dineshbabu"
> according to this process.
>
> It is possible to suppress the reverse lookup by setting "rdns = false"
> in the [libdefaults] section of krb5.conf. Unfortunately, this doesn't
> always work on Linux due to a libc bug.
>
>
--
Regards,
Bharathikannan R
Thank you so much for your precious time. I mapped the ip address to
"kannan" in our dns server. Now , it's working fine.
Regards ,
Bharathikannan R
On Tue, May 28, 2013 at 10:55 PM, Greg Hudson <ghu...@mit.edu> wrote:
> On 05/28/2013 12:19 AM, kannan rbk wrote:
> > I think i am little short on the problem. Thanks for your useful
> > debugging info. I am trying to connect the host "kannan" but in kerberos
> > log it tries to connect "dineshbabu".
>
> hostname using name resolution: first by performing a forward lookup,
> and then by performing a reverse lookup of the resulting address. Here
> is an example:
>
> $ host ptr-mismatch.kerberos.org
> ptr-mismatch.kerberos.org is an alias for www.kerberos.org.
> www.kerberos.org has address 18.9.62.44
>
> $ host 18.9.62.44
> 44.62.9.18.in-addr.arpa domain name pointer KERBEROS-ORG.MIT.EDU.
>
> $ kvno -S host ptr-mismatch.kerberos.org
> host/kerberos-o...@ATHENA.MIT.EDU: kvno = 4
>
> It seems that on your network, "kannan" canonicalizes to "dineshbabu"
> according to this process.
>
> It is possible to suppress the reverse lookup by setting "rdns = false"
> in the [libdefaults] section of krb5.conf. Unfortunately, this doesn't
> always work on Linux due to a libc bug.
>
>
--
Regards,
Bharathikannan R
0 new messages