kerberos, hpux 11.11, ssh

Christopher D. Clausen cclausen at acm.org
Tue May 8 18:27:50 EDT 2007 

Wilson, Michael <michael.wilson at diebold.com> wrote:
> Hello,
>
> We are running into problems with the installation of Kerberos V5 on
> and hpux 11.11 machine.
>
> When we try to login using Active Directory Authentication we get the
> following in our debug.log file:
>
> May  8 09:59:21 PAM: load_function: successful load of
> pam_sm_authenticate
> May  8 09:59:21 PAM: pam_set_item(8)
> May  8 09:59:21 PAM: load_modules: /usr/lib/security/libpam_unix.1
> May  8 09:59:41 PAM: pam_set_item(6)
> May  8 09:59:41 PAM: [Cannot find KDC for requested realm] Unable to
> verify Kerberos V5 TGT: [abc.diebold.com]
> May  8 09:59:41 PAM: Kerberos V5 TGT bad: Cannot find KDC for
> requested realm

Appears that you do not have host keytabs setup.  (Or have them setup 
incorrectly.)  You need to use ktpass.exe on Windows to generate host 
keytabs for your machines and copy the generated keytabs to the correct 
location on the hpux systems.  I'm not sure where that is on HPUX, but 
its usually /etc/krb5.keytab (Linux) or /etc/krb5/krb5.keytab (Solaris.)

You also must have a properly configured hostname and /etc/hosts file 
for this system, and proper DNS, etc.

What does klist -kte (as root) list?

> May  8 09:59:21 PAM: load_function: successful load of
> pam_sm_authenticate
> May  8 09:59:41 PAM: while verifying tgt[Unknown code ____ 255]
>
> We can login using KDC/AD credentials by using kinit.  The ticket gets
> created and is placed in the /tmp directory
> We verify that there was a ticket made and when it will expire by
> using the klist.  It works as well along with kdestroy.

Kinit doesn't use the host keytab to verify the KDC.  It uses the fact 
that the user knows their password.  In order for the hpux machine to 
verify that it is communicating with the correct KDC it needs its own 
password, in the form of a host keytab.

Do you need to specify the realm name when you kinit?

What does your krb5.conf file look like and what AD realm do you need to 
use?

> When we type login from the command prompt to try logging back into
> the same localhost or another hpux machine
> we get the same error as mentioned above.
>
> We have Linux machines running RHEL 4 and Kerberos that work just
> fine.

Is highly likely that your Linux machines are not as secure as they 
could be as they probably are NOT verifiying that the KDC they 
communicate with is not being spoofed.  You really should have a host 
keytab on your Linux machines as well, but for some reason a large 
number of Linux vedors default to allowing authentication without the 
host keytab.  It seems that real UNIX vendors (Sun for Solaris, IBM for 
AIX, etc.) require the host keytab by default and require a 
configuration change to ignore the missing keytyab problem.

<<CDC

More information about the Kerberos mailing list