Server :: (Kerberos Setup) Cannot Login With Kadmin
Oct 20, 2010
I'm setting up kerberos and I can't login with kadmin but I am getting tickets with kinit, my princs are valid, and my dns resolves with dig/ping, am I missing something?:
kadmin:
Code:
home-plug:/home/steven# kadmin
Authenticating as principal root/admin@SOUR-LAN.LOCAL with password.
Password for root/admin@SOUR-LAN.LOCAL:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
auth.log
Code:
Oct 20 22:18:13 home-plug kadmind[8935]: Seeding random number generator
Oct 20 22:18:20 home-plug krb5kdc[8778]: Interrupted system call - while selecting for network input(1)
Oct 20 22:18:20 home-plug krb5kdc[8778]: shutting down
Oct 20 22:18:20 home-plug krb5kdc[8939]: setting up network .....
View 1 Replies
ADVERTISEMENT
Mar 24, 2011
Following the instructions listed here:[URL].. I have a machine set up to use Kerberos authentication for logins. The problem is, logins are now incredibly slow and any user from the AD fails to log in.Here's the output from the server in debug mode:
[Code]...
What I want to do is use a Windows AD with the UNIX extensions to control user logins on CentOS 5.5 servers. Previously I've used OpenLDAP and AD, but that was still two separate auth methods and I just want one.
View 5 Replies
View Related
Feb 13, 2011
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
View 3 Replies
View Related
Aug 9, 2010
I'd like to know if network-manager applet could be run on gdm login menu. Cause i would like to get connected on my network to reach kerberos serveur to login. nm-applet on gdm
View 5 Replies
View Related
Feb 19, 2010
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
View 2 Replies
View Related
Mar 10, 2009
I have an NIS server that is working well, and I want to use Kerberos to improve the overall security.I have already installed Kerberos client and server on two machines respectively.Currently the NIS server, Kerberos server, and KDC are running on the same box, and every box is in the same private network.I am having trouble logging in using the user account defined in Kerberos database. Here's /etc/krb5.conf on the client side:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
[code].....
View 1 Replies
View Related
May 13, 2011
I'm trying to login to a server using gssapi-with-mic authentication against one of my school's machines that supports this mode of authentication. I have these kerberos packages installed:
batrick@menzoberranzan:~$ dpkg -l | grep krb
ii krb5-config 2.2 Configuration files for Kerberos Version 5
[code]....
View 1 Replies
View Related
Jul 27, 2011
I am interested learning about networks in Linux and prefer to use Ubuntu. I hope the title is reflects what I really need to know. If not sorry about that.I have an requirement, it is to have a server to handle authenticaition of users so generally users can use that server to use specific services such as login (to linux), mail (postfix) and perhaps a file server (to hold user data, lets say what we have on /home/[username])I did some reading, and it looks like I will need LDAP and Kerberos. But I couldn't get a good understanding on how to practically deploy such a service.I would be obliged if some you guys can give me some guidelines on how to achieve my goal. Topics I need to read, books I could refer would be a plus.To tell you some thing about me, I am not a *NIX guy, my knowledge is kinda just above basic.
View 1 Replies
View Related
Jun 22, 2010
Is it possible to somehow setup an ssh server that doesn't require a username,password or cert to login?I wish to provide shell access to a console program, which will prompt for a username and password.Encryption is essential though, and users must not be able to snoop in on each other
View 9 Replies
View Related
Mar 28, 2011
I am attempting to Kerborize an NFS server on a RHEL6 machine, but I cannot get it quite right. The error message I receive when executing the following command (as myself, not as root) is:
Code:
I have a keytab generated from the KDC for both NFS server and NFS client (both RHEL6 hosts) placed in /etc, and I have configured PAM/Kerberos so I can login via SSH and see I have a valid ticket with klist.
I can login to both NFS server and NFS client via SSH and get a ticket, but I don't know where the problematic NFS permissions reside.
The /etc/exports file on the NFS server looks like:
Code:
I have disabled IP Tables on both client and server, and hosts.allow and hosts.deny are not blocking traffic at the moment. On the NFS server.
Here is the output of rpcinfo:
On the NFS client, here is the output of that same command:
View 1 Replies
View Related
Aug 3, 2010
I've my RHEL4u4 integrated with Active Directory.
I can logon to computer with username/passwd from AD.
But if I try to use ssh, is doesn't work
When I try to connect to the same computer using kerberos I receive this messages:
ssh -vv server.domain.com
....
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
[Code]....
and it tries to use publickey and finally, user/pass.
What do I've have do for using ssh and kerberos? I use samba for joining computer to AD. I tried it in ubuntu 8.04 and likewise-open and it works, but not in RH-Samba.
View 10 Replies
View Related
Jan 14, 2011
I'm trying to configure SSH for accessing with kerberos. I try to configure a SSO. The computer is joined to Active Directory. I can access with the user/pass from AD (using samba/winbind), but if I try to connect using kerberos, the error:
Server not found in kerberos database. The server is CentOS 5.5, but also tried with RHEL 5.5.
Configuration
Domain: net
Realm: TEST.NET
User: usertom
Server ssh: testul0001.test.net
Client ssh: testul0001.test.net (connect to the same computer)
Domain controler: testgc01.test.net .....
View 8 Replies
View Related
Jun 16, 2011
Pretty much as described in the thread title. I'm running RHEL6 on both the server and the client.I followed Red Hat's own instructions to set the kdc upI have a user called krb, that has been added to the KDC and I can get a ticket from the KDC, by using
Code:
kinit -p krb
If I then try to log in to the KDC, from the KDC, with
[code]...
View 4 Replies
View Related
Jul 17, 2010
Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
View 1 Replies
View Related
Oct 14, 2010
I have a samba server for company file shares but we do not use domain services or active directory service. Each workstation is its own standalone system. (And we want to keep it this way.) I would like to have some centralized authentication though, and it looks like Kerberos will provide that. After a lot of searching though, I can't find any instructions for setting up samba to authenticate users using kerberos without an ADS (active directory service) or domain. Is this possible?
View 1 Replies
View Related
Jun 3, 2010
How to install kerberos on a local machine ?
View 10 Replies
View Related
Dec 3, 2009
I have set up a 389 DS server and a kdc. However there is not a howto or any document concerning setting up the DS as a Kerberos database back-end. Nor is there a 389 DS forum, so I am asking here and hopefully some of you could possibly help or throw in some light as to this kind of setup.I have read the 389 DS features page and the Redhat documents but there is no reference to this feature.
View 3 Replies
View Related
Apr 14, 2010
So I was trying to configure my CUPS server and checked the box marked "Use Kerberos Authentication." Now, I cannot change anything and get an unauthorized error every time I try. How can I remove Kerberos? I have access to the local computer as root and can use sudo.
View 2 Replies
View Related
Jun 27, 2010
This problem has taken me the whole Sunday and the only thing I've got left before start kicking my computer equipment is to ask you guys for help.I have a problem on my client side of Kerberos. Basically, none of my clients is able to make a connection to kadmin using DNS SRV-records. Only if I use the relevant directives in the krb5.conf files - it works.
Something is weird regarding the adm server. I mean, without [realms] stanza, the client does query the DNS properly for the KDC master - it can be tracked in the DNS logs and I mean, even logically - with no [realms] stanza - there is no other place than DNS where it can find this information. So, the actual authentication of the principal works. It's the kadmin-part that exits with the error message above. According to all manuals, books, guides I've read - this shouldn't be happening. The [libdefaults] with default_realm defined in krb5.conf in combination with proper DNS records, should be everything kerberos client needs. But apparently not.I don't remember having any problems like this before. This is the first time in several months a freshly install a KDC. I believe Kerberos packages did get updated few times since then. Could this be a bug of some kind introduced in never version of libs? I have the latest packages on centos 5.3.
View 1 Replies
View Related
Jan 15, 2010
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
peter@client01:~$ ssh git1
peter@git1's password:
<connection completes>
peter@nana:~$
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
View 1 Replies
View Related
Apr 23, 2011
we're running an Ubuntu 10.04 LTS network on our company, authenticating against an Openldap/heimdal-kerberos server.Previously, the clients were authenticating against a Windows 2003 Domain without any problems.After modifying the krb.conf, ldap.conf, nsswitch.conf and nscd.conf files to authenticate the machines against the openldap/heimdal setup, we started experiencing strange problems.
One issue is, for example, the polkit-agent-gnome not starting. This component integrates policykit into gnome. It looks like the agent is unable to start due to some kind of delay with DBUS. Starting the agent manually keeps giving errors until about 70 seconds after login, when the agent can be started without problems. During the delay it is also impossible, for instance, to open the "shut down" menu on the top right of gnome. You can click on the menu, but nothing appears.Trying to start the polkit-agent manually gives these errors (I'll be attaching detailed errors when at work!):
Code:
DBus error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken
GLIB ERROR ** default - Not enough memory to set up DBusConnection for use with GLib It really looks like DBus or something related to it is starting "too late" but I can't seem to find the reason. I'm pretty sure this has to do with some timings or whatever in the krb/ldap config files...
View 3 Replies
View Related
Feb 10, 2010
I've set up password-less login for user1 on a Ubuntu machine to login automatically into a Fedora box using the publickey authentication method. Everything is working smoothly. Now, there is a user2 on Fedora but he does not have an account on Ubuntu.
I tried to login as user2 from Ubuntu to but got the following error :
Code:
Predictably neither scp or sftp work either. I have several questions as a result.
1.Is the SSH server rejecting user2 login because I am inadvertently using user1 keys (as I am logged in as user1) ?
2. Do I need to have a user2 account on Ubuntu and public/private key authentication setup with Fedora for user2 to be able to login ?
3. Is there a method I can use to password login as user2 from Ubuntu to Fedora (even though there is no user2 account on Ubuntu) AND still keep password-less login for user1 or do I have to have password-less login for both ?
At present the only way to access the user2 account from Ubuntu is to SSH using the user1 account and then su to user2.
View 3 Replies
View Related
Dec 10, 2009
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
LDAP
NIS
Kerberos
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
View 3 Replies
View Related
Jan 19, 2010
We are trying to set up a NIS server on a CentOS system. We need to have a NIS server which can provide NIS authentication to a couple of clients. We are practically new to all this stuff.
Just googled to find some ideas about installing ypserv and ypbind and portmapper. We did all that and also started them successfully. But now the clients are not able to join to the NIS domain . The error log states "YP_DOMAIN NOT BOUND".
I guess we have not entered the /etc/yp.conf, /etc/hosts files properly. Please let us know the detailed steps to setup a NIS server .
Also, please let us know what entries should go into the different /etc/<file_names>? What is meant by HOSTNAME in the /etc/hosts file?
Is there any other files which need to be changed? Are we missing any steps?
Also to add-on, while executing the ypinit command we faced the following error:
At this point, we have to construct a list of the hosts which will run NIS servers. localhost.localdomain is in the list of NIS server hosts. Please cont inue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add: localhost.localdomain next host to add:
The current list of NIS servers looks like this:
Is this correct? [y/n: y] y
Error running Makefile.
View 3 Replies
View Related
Apr 9, 2011
I like the server login information that gets displayed when you login to a 10.04 server. It lists disk usage, CPU usage, Temperature etc...
Unfortunately I had problems installing 10.04 from a USB. At the end of the process the master boot record was stored on the USB and not the hard disk.
But now when I login to my server I don't get the server information.
View 1 Replies
View Related
Apr 24, 2011
I want to setup a FAI server for which I was looking for the best method of mirroring the Debian Lenny. I want to setup a local mirror with the best method available for mirroring. If it is ftpsync, please provide me some best ways of doing it. I tried ftpsync mirroring but that was not getting properly working due to insufficient I want this mirror to be accessible in my FAI setup so that I can start the installation on multiple machines and start the updates and package installation to be done from the same local mirror.
View 1 Replies
View Related
Oct 22, 2010
How to setup a SMS server using Linux, also want to know the appropriate Linux distribution to setup a SMS server.
View 2 Replies
View Related
Mar 2, 2011
I am running Red Hat Enterprise Server 6.0 I am having issues getting kerberos configured as a client to join a domain. Im getting below error message. "Failed to join domain: failed to connect to AD: KDC has no support for encryption type"
View 9 Replies
View Related
Jan 13, 2010
I recently downloaded a login theme, extracted the archive and in the INSTALL file it says: Use 'gdmsetup' to install.I typed gdmsetup in terminal but command not found message returned. Anyone knows how to set up this theme?
View 1 Replies
View Related
Mar 5, 2010
I am having trouble finding a guide for setting up Apache and Phpmyadmin to use https with the Phpmyadmin login. I can only find snippets of config files in answers here and there, but I can't see the whole picture of how to setup everything from a fresh system. Know a were to find a guide?
View 1 Replies
View Related
