Software :: Kerberos Clients Cannot Find Administrative Server Through DNS
Jun 27, 2010
This problem has taken me the whole Sunday and the only thing I've got left before start kicking my computer equipment is to ask you guys for help.I have a problem on my client side of Kerberos. Basically, none of my clients is able to make a connection to kadmin using DNS SRV-records. Only if I use the relevant directives in the krb5.conf files - it works.
Something is weird regarding the adm server. I mean, without [realms] stanza, the client does query the DNS properly for the KDC master - it can be tracked in the DNS logs and I mean, even logically - with no [realms] stanza - there is no other place than DNS where it can find this information. So, the actual authentication of the principal works. It's the kadmin-part that exits with the error message above. According to all manuals, books, guides I've read - this shouldn't be happening. The [libdefaults] with default_realm defined in krb5.conf in combination with proper DNS records, should be everything kerberos client needs. But apparently not.I don't remember having any problems like this before. This is the first time in several months a freshly install a KDC. I believe Kerberos packages did get updated few times since then. Could this be a bug of some kind introduced in never version of libs? I have the latest packages on centos 5.3.
View 1 Replies
ADVERTISEMENT
Mar 28, 2011
I am attempting to Kerborize an NFS server on a RHEL6 machine, but I cannot get it quite right. The error message I receive when executing the following command (as myself, not as root) is:
Code:
I have a keytab generated from the KDC for both NFS server and NFS client (both RHEL6 hosts) placed in /etc, and I have configured PAM/Kerberos so I can login via SSH and see I have a valid ticket with klist.
I can login to both NFS server and NFS client via SSH and get a ticket, but I don't know where the problematic NFS permissions reside.
The /etc/exports file on the NFS server looks like:
Code:
I have disabled IP Tables on both client and server, and hosts.allow and hosts.deny are not blocking traffic at the moment. On the NFS server.
Here is the output of rpcinfo:
On the NFS client, here is the output of that same command:
View 1 Replies
View Related
Mar 29, 2010
Is there any way to find out from this machine, this user is logged into my machine using any mechanism or command?
Also I can allow this users can put ssh to my system. Is it possible?
View 5 Replies
View Related
Aug 3, 2010
I've my RHEL4u4 integrated with Active Directory.
I can logon to computer with username/passwd from AD.
But if I try to use ssh, is doesn't work
When I try to connect to the same computer using kerberos I receive this messages:
ssh -vv server.domain.com
....
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
[Code]....
and it tries to use publickey and finally, user/pass.
What do I've have do for using ssh and kerberos? I use samba for joining computer to AD. I tried it in ubuntu 8.04 and likewise-open and it works, but not in RH-Samba.
View 10 Replies
View Related
Jan 14, 2011
I'm trying to configure SSH for accessing with kerberos. I try to configure a SSO. The computer is joined to Active Directory. I can access with the user/pass from AD (using samba/winbind), but if I try to connect using kerberos, the error:
Server not found in kerberos database. The server is CentOS 5.5, but also tried with RHEL 5.5.
Configuration
Domain: net
Realm: TEST.NET
User: usertom
Server ssh: testul0001.test.net
Client ssh: testul0001.test.net (connect to the same computer)
Domain controler: testgc01.test.net .....
View 8 Replies
View Related
Mar 24, 2011
Following the instructions listed here:[URL].. I have a machine set up to use Kerberos authentication for logins. The problem is, logins are now incredibly slow and any user from the AD fails to log in.Here's the output from the server in debug mode:
[Code]...
What I want to do is use a Windows AD with the UNIX extensions to control user logins on CentOS 5.5 servers. Previously I've used OpenLDAP and AD, but that was still two separate auth methods and I just want one.
View 5 Replies
View Related
Jun 16, 2011
Pretty much as described in the thread title. I'm running RHEL6 on both the server and the client.I followed Red Hat's own instructions to set the kdc upI have a user called krb, that has been added to the KDC and I can get a ticket from the KDC, by using
Code:
kinit -p krb
If I then try to log in to the KDC, from the KDC, with
[code]...
View 4 Replies
View Related
Feb 5, 2009
I currently have a network with an older machine, which is (usually) operated in headless mode as a data & backup server, with a fixed IP of 192.168.0.10. I have two client machines, a desktop & a laptop, which use DHCP. All three computers are running Slackware-12.2, the clients with a full install & the server without any X components. I want to set the server to serve a scanner & have been following this link, which is mostly a rewrite of the man page for sane.d. I set up saned per the article, adding the saned:saned user. 'scanimage -L' works for both root & my local user on the server. I can ssh into the server as my desktop user & 'scanimage -L' works. Ditto if I ssh into the server, then 'su -' to root. I can scan either locally from the server or via ssh from the desktop machine. BUT, I cannot get the scanner recognized on the network. On the server, I have this line in /etc/sane.d/saned.conf:
Code:
192.168.0.0/24 this line in /etc/services:
Code:
sane-port 6566/tcp #SANE network scanner daemon & this line in /etc/inetc.conf:
Code:
sane-port stream tcp nowait saned:saned /usr/sbin/saned saned
I have changed the line in /etc/sane.d/saned.conf to just "+", for testing. That didn't work either. On the clients, I have these two uncommented lines in /etc/sane.d/net.conf:
[code]....
My server user is in the same groups, less vboxusers. The server is identified in /etc/hosts & I can connect to it via ssh & mount nfs shares from it. What am I (not) doing that is killing network scanning?
View 3 Replies
View Related
Jul 17, 2010
Is it possible to secure samba server with kerberos? I want to know whether we can use kerberos authentication to secure samba user name and password so that mo one can sniff that information. configuration or any URL link from I can get the exact configuration.
View 1 Replies
View Related
Oct 14, 2010
I have a samba server for company file shares but we do not use domain services or active directory service. Each workstation is its own standalone system. (And we want to keep it this way.) I would like to have some centralized authentication though, and it looks like Kerberos will provide that. After a lot of searching though, I can't find any instructions for setting up samba to authenticate users using kerberos without an ADS (active directory service) or domain. Is this possible?
View 1 Replies
View Related
Oct 20, 2010
I'm setting up kerberos and I can't login with kadmin but I am getting tickets with kinit, my princs are valid, and my dns resolves with dig/ping, am I missing something?:
kadmin:
Code:
home-plug:/home/steven# kadmin
Authenticating as principal root/admin@SOUR-LAN.LOCAL with password.
Password for root/admin@SOUR-LAN.LOCAL:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
auth.log
Code:
Oct 20 22:18:13 home-plug kadmind[8935]: Seeding random number generator
Oct 20 22:18:20 home-plug krb5kdc[8778]: Interrupted system call - while selecting for network input(1)
Oct 20 22:18:20 home-plug krb5kdc[8778]: shutting down
Oct 20 22:18:20 home-plug krb5kdc[8939]: setting up network .....
View 1 Replies
View Related
Jun 3, 2010
How to install kerberos on a local machine ?
View 10 Replies
View Related
Mar 8, 2011
I don't really have a reason for this currently. I recognize all the MAC address on my DHCP client list and keep it rather well locked down. I was just wondering if there was something I could run on the terminal to get more information on a given MAC address on my network. Something kind of like whois for websites.
View 1 Replies
View Related
Dec 3, 2009
I have set up a 389 DS server and a kdc. However there is not a howto or any document concerning setting up the DS as a Kerberos database back-end. Nor is there a 389 DS forum, so I am asking here and hopefully some of you could possibly help or throw in some light as to this kind of setup.I have read the 389 DS features page and the Redhat documents but there is no reference to this feature.
View 3 Replies
View Related
Apr 14, 2010
So I was trying to configure my CUPS server and checked the box marked "Use Kerberos Authentication." Now, I cannot change anything and get an unauthorized error every time I try. How can I remove Kerberos? I have access to the local computer as root and can use sudo.
View 2 Replies
View Related
Jan 26, 2011
Each time I connect to a Mumble server, this appears:Quote: Unable to find matching CELT codecs with other clients. You will not be able to talk to all users. Apparently that is the cause for not being able to hold a conversation on mumble. Nobody can hear me, though I can't specify if I can hear others at the moment. Some googling has led me to this:
Gentoo Bug #293300
media-sound/mumble-1.2.0_beta1 tries to load media-libs/celt-0.7.0 as
"libcelt.so.0.7.0", but the actually installed library is named
"libcelt.so.0.0.0". Thus CELT support in Mumble is supposedly missing, but can
be restored by symlinking libcelt.so.0.7.0 to libcelt.so.0.0.0.
[Code]...
View 2 Replies
View Related
Aug 9, 2010
I'd like to know if network-manager applet could be run on gdm login menu. Cause i would like to get connected on my network to reach kerberos serveur to login. nm-applet on gdm
View 5 Replies
View Related
Jan 15, 2010
I have a Kerberos/LDAP/OpenAFS server running on Debian lenny, set up according to Davor Ocelic's excellent guide here (url). SSHd has ben configured to use GSSAPI auth and the clients have been configured to pass auth tokens through to the server.
My clients are all Ubuntu 9.10 x86 fully patched. On the clients, OpenAFS has been compiled and installed as a kernel module and git 1.6.6 has been compiled from source and installed. Otherwise, all software is stock Ubuntu repository-ware.
The setup is working fine as long as I connect to the primary server using its hostname:
peter@client01:~$ ssh nana
<connection goes through seamlessly without prompting>
peter@nana:~$
If I try to connect via a DNS alias (actually a second CNAME record), I get:
peter@client01:~$ ssh git1
peter@git1's password:
<connection completes>
peter@nana:~$
I need both passwordless auth and the DNS alias working, as it's internal policy that user connections are only ever made to service names, not real hostnames.
I have tried adding a second host principal to Kerberos for the alias (git1.darling.local) in addition to the host principal for the hostname (nana.darling.local).
If I turn off PasswordAuthentication in sshd_config, then "ssh git1" doesn't even fall through to passwords; it just denies logins. So it looks like it's not even using GSSAPI for the DNS alias.
So:
1) Is what I want even possible? I can't find anything that indicates that there's anything odd about DNS aliases such that this should happen.
2) Which config files should I post to help debug this? There's a lot and I didn't want to start blarfing them here if they aren't helpful.
View 1 Replies
View Related
Apr 23, 2011
we're running an Ubuntu 10.04 LTS network on our company, authenticating against an Openldap/heimdal-kerberos server.Previously, the clients were authenticating against a Windows 2003 Domain without any problems.After modifying the krb.conf, ldap.conf, nsswitch.conf and nscd.conf files to authenticate the machines against the openldap/heimdal setup, we started experiencing strange problems.
One issue is, for example, the polkit-agent-gnome not starting. This component integrates policykit into gnome. It looks like the agent is unable to start due to some kind of delay with DBUS. Starting the agent manually keeps giving errors until about 70 seconds after login, when the agent can be started without problems. During the delay it is also impossible, for instance, to open the "shut down" menu on the top right of gnome. You can click on the menu, but nothing appears.Trying to start the polkit-agent manually gives these errors (I'll be attaching detailed errors when at work!):
Code:
DBus error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken
GLIB ERROR ** default - Not enough memory to set up DBusConnection for use with GLib It really looks like DBus or something related to it is starting "too late" but I can't seem to find the reason. I'm pretty sure this has to do with some timings or whatever in the krb/ldap config files...
View 3 Replies
View Related
Dec 10, 2009
I wish to setup a network that works like windows but for with lunix of course!. It will need to be able to handle security/DNS/DHCP & Document store from one location. I've been doing some reading and have found that I think I need to be using one of the following:
LDAP
NIS
Kerberos
I have looked at a few Linux based OS's. I did notice that when you install fedora live desktop it gives you the option to connect to one of the above. So I am looking for a complete solution.
1. How to setup fedora to act as server for my needs (or other Linux build)
2. Add fedora/linux mint machines to server to use new security settings. (or other linux build)
View 3 Replies
View Related
Feb 13, 2011
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
View 3 Replies
View Related
Feb 19, 2010
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
View 2 Replies
View Related
Sep 9, 2011
I have tftp-server running on Centos 5. Clients which are on the same subnet as the server are able to get and put without problems. I have a client that is across the internet that is having trouble getting files from my tftp server. A tcpdump reveals that the client is requesting the same file over and over again. In /var/log/messages, I am see the following error repeated over and over until the client finally gives up.
localhost in.tftpd[12727]: tftpd: read: No route to host
View 1 Replies
View Related
Apr 26, 2010
How to configure linux vpn server for windows clients & roadwarriors connection?
View 4 Replies
View Related
Jan 29, 2010
i want to configure an Open LDAP server in Ubuntu....and also want it to connect to its clients, i have two machines for testing,one for client & one for server, i followed the tutorials on ubuntu documentation,but did not succeed in making either the client or the server,
View 2 Replies
View Related
Jan 9, 2010
I have to have a Linux server for shell programming on Windows (XP) clients
View 3 Replies
View Related
Dec 29, 2010
if I use Linux File server with NFS Configured, Can MAC clients (workstations) access the files on Linux server over the LAN network
View 7 Replies
View Related
Feb 26, 2010
I just installed SLES 11.2 X86_64 and have SMB Server started after adding 2 lines to smb.conf:1. NTMLv2 = Yes2. name resolve order = wins bcast host lmhostsThere are also 02 new DWORD lines I add to Win7 clientsHKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManWorkstationParameters 1.DomainCompatibilityMode = 12. DNSNameResolutionRequired = 0Of course a few number of modifications I made from Yast to enable SMB Server and Client, and bcast as well. Now I am able to join my Linux Domain without error at first reboot from win7, but it seems spending a long time about 30 secs for auth. even I test on a very fast network system, all with core quad 3GHZ CPU and 4GB DDR2I would like to mention here that before I made the above changes I did a lot of different modifications onto my win7 clients (I found many suggestions online), and all seems mess up and never work; Then I had to reinstall win7 from scratch and just add 02 lines as above, but it works.
View 3 Replies
View Related
May 18, 2010
In my network the client systems access internet through my server which has ubuntu 9.10 server edition in it.I gave my server's ip address as name server's address in /etc/resolv.conf file in the client systems. And i have assigned static ip to my systems. i have not configured squid in my server.I just want to know whether the website acessed by the client systems will be registered in the server or not, with the coresponding ip addresses.
i have checked system log file in server,but i can't find any ip address entry of the client systems in it.which file i have to actually check, or should i need to configure any extra things to monitor the clients web history in server.
View 6 Replies
View Related
May 24, 2010
I'm presently writing software to keep my system time from drifting, it uses an external clock device.To verify it's accuracy I'm running ntpd as a server, and have another server monior the first as a client. This allows me to compare the offset with other 'valid' time servers.The problem is that the monitoring client keeps synchronising with my development server. How can I configure either the dev. server or the client so that it's time won't be selected as a good time source?The ntp.conf on the dev. server looks like:
Code:
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
[code]...
View 1 Replies
View Related
