How to install MIT Kerberos on Debian with slapd backend
References:
- http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
Other how-to:
- http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
- https://help.ubuntu.com/10.10/serverguide/C/kerberos-ldap.html
Time synchronization between hosts
Kerberos clients and server must be synchronized.
For that purpose I use ntp on the clients and server.
aptitude install ntp
- /etc/default/ntp: keep default configuration which allows one big adjustment
NTPD_OPTS='-g'
- /etc/ntp.conf: keep default configuration (listen on local)
Install slapd
Install ldap server
# slapd admin password will be asked DEBIAN_PRIORITY=medium aptitude install slapd
slapd logs
Syslog
# /etc/rsyslog.d/slapd.conf # minus before file => omit syncing the file after every loggin # & ~ => don't transmist log to next logger local4.* -/var/log/slapd.log & ~
rotation
# /etc/logrotate.d/slapd
/var/log/slapd.log
{
# 1 month
weekly
rotate 4
missingok
compress
delaycompress
notifempty
postrotate
/etc/init.d/slapd restart
endscript
}
Install MIT Kerberos master server
Some informations will be asked:
- REALM
- FQDN of Kerberos server (check dns configuration !)
- fqdn of administrative server for the kerberos realm
# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55 Default Kerberos version 5 realm: COINCOIN.EU Kerberos V4 compatibility mode to use: None Kerberos servers for your realm: kdc.coincoin.eu
Next create a new realm:
# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU', master key name 'K/M@COINCOIN.EU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
Configuration: slapd
/etc/ldap/ldap.conf
First, check configuration !
BASE dc=coincoin,dc=eu URI ldap://ldap.coincoin.eu
schema
Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd
aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema
echo "include /etc/ldap/schema/kerberos.schema" > /tmp/schema_convert.conf
slaptest -f /tmp/schema_convert.conf -F /tmp/
# remove lines at the end of /tmp/cn=config/cn=schema/cn={0}kerberos.ldif, starting at "structuralObjectClass: olcSchemaConfig"
# change "dn: cn={0}kerberos" by "dn: cn=kerberos,cn=schema,cn=config"
# change "cn: {0}kerberos" by "cn: kerberos"
ldapadd -QY EXTERNAL -H ldapi:/// -f /tmp/cn=config/cn=schema/cn={0}kerberos.ldif
increase log level
# log all: change log level from 'none' to 'stats' cat ldap/log_level.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats ldapmodify -QY EXTERNAL -H ldapi:/// -f log_level.ldif
ACLs:
# add ACL for Kerberos:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu"
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
by * none
# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
by * none
access to *
by * read
access to *
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
# Comment all other default ACL
# add specific directives for database #1
suffix "dc=coincoin,dc=eu"
rootdn "cn=admin,dc=coincoin,dc=eu"
# add indexes
index objectClass eq # by default
index uid eq
index krbPrincipalName eq,pres,sub
Create indexes
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add ldap entries
/etc/init.d/slapd stop cat data.ldif dn: ou=Users,dc=coincoin,dc=eu ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=coincoin,dc=eu ou: Groups objectClass: organizationalUnit dn: ou=Hosts,dc=coincoin,dc=eu ou: Hosts objectClass: organizationalUnit dn: ou=krb5,dc=coincoin,dc=eu ou: krb5 objectClass: organizationalUnit dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu cn: kdc-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos KDC server userPassword: 5Wdx~FgK|VFm>>2`K1UW dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu cn: adm-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos Administration server userPassword: grh~1JnFvN*}]742_Jvc slapadd -svl data.ldif /etc/init.d/slapd start
If the LDAP server and KDC service are running on the same machine:
# slapd listen only unix socket, in /etc/default/slapd: SLAPD_SERVICES="ldapi:///" /etc/init.d/slapd restart
You should disallow anonymous binding:
#Add at the beginning of /etc/ldap/slapd.conf disallow bind_anon /etc/init.d/slapd restart
Configure Kerberos
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
[...]
[realms]
COINCOIN.EU = {
kdc = kdc.coincoin.eu
admin_server = kdc.coincoin.eu
database_module = openldap_ldapconf
}
[domain_realm]
.coincoin.eu = COINCOIN.EU
coincoin.eu = COINCOIN.EU
[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
# TODO logrotate
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_ports = 750,88
[realms]
COINCOIN.EU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
Set up the realms subtree and the realm itself
kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu # slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu # slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
Add users to ldap server
This step is needed if users’s account are not already in the ldap.
The following command fails:
/etc/init.d/slapd stop slapadd -svl users.ldif /etc/init.d/slapd stop
where users.ldif is:
dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu cn: lilou gidNumber: 1000 objectClass: top objectClass: posixGroup dn: uid=lilou,ou=Users,dc=coincoin,dc=eu uid: lilou uidNumber: 1000 gidNumber: 1000 cn: Lilou sn: Lilou objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/lilou
I use cpu command from the cpu package:
# extract of /etc/cpu/cpu.conf # USER_BASE = ou=Users,dc=coincoin,dc=eu # GROUP_BASE = ou=Groups,dc=coincoin,dc=eu # cpu -w useradd lilou
Kerberize user
# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin.local: addprinc lilou WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy Enter password for principal "lilou@COINCOIN.EU": Re-enter password for principal "lilou@COINCOIN.EU": Principal "lilou@COINCOIN.EU" created.
Restart services
/etc/init.d/slapd restart /etc/init.d/krb5-kadmin-server restart /etc/init.d/krb5-kdc restart
Check hostname configuration
user@kdc:~$ hostname kdc user@kdc:~$ hostname -f kdc.coincoin.eu # /etc/resolv.conf could contains "search coincoin.eu".
Tests
kdc:~# kinit lilou
Password for lilou@COINCOIN.EU:
kdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU
Valid starting Expires Service principal
02/20/11 03:07:54 02/20/11 13:07:54 krbtgt/COINCOIN.EU@COINCOIN.EU
renew until 02/21/11 03:07:51
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Clients configuration
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
Check hostname configuration
root@client:~$ hostname client root@client:~$ hostname -f client.coincoin.eu
Packages
aptitude install krb5-user libpam-krb5
Install libpam-krb5 package only if you want SSO.
After installing libpam-krb5, you can use pam-auth-update command in order to handle PAM & kerberos configuration.
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
COINCOIN.EU = {
kdc = kdc.coincoin.eu
admin_server = kdc.coincoin.eu
}
[domain_realm]
.coincoin.eu = COINCOIN.EU
coincoin.eu = COINCOIN.EU
[login]
krb4_convert = false
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Tests
Kerberos
toto@client:~# kinit lilou
Password for lilou@COINCOIN.EU:
toto@client:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU
Valid starting Expires Service principal
02/20/11 02:17:09 02/20/11 12:17:09 krbtgt/COINCOIN.EU@COINCOIN.EU
renew until 02/21/11 02:17:05
PAM
In order to test PAM configuration, disconnect and reconnect, next use klist command.
Some errors
kinit: Generic error (see e-text) while getting initial credentials
Cause: slapd service is not started.
When requesting TGT with the canonicalization flag set, the realm component of the principal is not converted to uppercase, leading to the following error observed on console:
[root@master ~]# KRB5_TRACE=/dev/stderr kinit -C talias@ipa.test [80650] 1471852872.307764: Getting initial credentials for talias@ipa.test [80650] 1471852872.310180: Sending request (228 bytes) to ipa.test [80650] 1471852872.311370: Resolving hostname master.ipa.test. [80650] 1471852872.317520: Sending initial UDP request to dgram 2620:52:0:224e:21a:4aff:fe23:13a6:88 [80650] 1471852872.319931: Received answer (262 bytes) from dgram 2620:52:0:224e:21a:4aff:fe23:13a6:88 [80650] 1471852872.320243: Response was from master KDC [80650] 1471852872.320270: Received error from KDC: -1765328324/Generic error (see e-text) kinit: Generic error (see e-text) while getting initial credentials
The KDC log contains an attempt to use the supplied realm name instead of the canonical uppercase form during AS_REQ processing, which obviously fails
Aug 22 09:59:41 master.ipa.test
krb5kdc[41525](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:00:02 master.ipa.test
krb5kdc[41528](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:00:06 master.ipa.test
krb5kdc[41525](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:01:12 master.ipa.test
krb5kdc[41528](info): AS_REQ (6 etypes {18 17 16 23 25 26})
2620:52:0:224e:21a:4aff:fe23:13a6: GET_LOCAL_TGT:
talias@ipa.test for
krbtgt/ipa.test@ipa.test,
No such entry in the database
Aug 22 10:05:20 master.ipa.test
Steps to reproduce:
1.) create a user with an alias
2.) kinit with user’s canonical principal and change password when prompted
3.) run ‘kinit -C’ using the alias and either lowercased or randomly-cased realm name
Expected result:
A password prompt is shown and upon entering a correct password the user gets TGT containing his canonical principal name
Actual result:
The following error is displayed:
kinit: Generic error (see e-text) while getting initial credentials
A crash is reported after an unsuccessful lightweight CA key retrieval
When using Identity Management (IdM), if retrieving the lightweight certificate authority (CA) key fails for some reason, the operation terminates unexpectedly with an uncaught exception. The exception results in a crash report. (BZ#1478366)
OpenLDAP causes programs to fail immediately in case of incorrect configuration
Previously, the Mozilla implementation of Network Security Services (Mozilla NSS) silently ignored certain misconfigurations in the OpenLDAP suite, which caused programs to fail only on connection establishment. With this update, OpenLDAP has switched from Mozilla NSS to OpenSSL (see the release note for BZ#1400578). With OpenSSL, the TLS context is established immediately, and therefore programs fail immediately. This behavior prevents potential security risks, such as keeping non-working TLS ports open.
To work around this problem, verify and fix your OpenLDAP configuration. (BZ#1515833)
OpenLDAP reports failures when CACertFile or CACertDir point to an invalid location
Previously, if the CACertFile or CACertDir options pointed to an unreadable or otherwise unloadable location, the Mozilla implementation of Network Security Services (Mozilla NSS) did not necessarily consider it a misconfiguration. With this update, the OpenLDAP suite has switched from Mozilla NSS to OpenSSL (see the release note for BZ#1400578). With OpenSSL, if CACertFile or CACertDir point to such an invalid location, the problem is no longer silently ignored.
To avoid the failures, remove the misconfigured option, or make sure it points to a loadable location.
Additionally, OpenLDAP now applies stricter rules for the contents of the directory to which CACertDir points. If you experience errors when using certificates in this directory, it is possible the directory is in an inconsistent state. To fix this problem, run the cacertdir_rehash command on the folder.
For details on CACertFile and CACertDir, see these man pages: ldap.conf(5), slapd.conf(5), slapd-config(5), and ldap_set_option(3). (BZ#1515918, BZ#1515839)
OpenLDAP does not update TLS configuration after inconsistent changes in cn=config
With this update, OpenLDAP has switched from the Mozilla implementation of Network Security Services (Mozilla NSS) to OpenSSL (see the release note for BZ#1400578). With OpenSSL, inconsistent changes of the TLS configuration in the cn=config database break the TLS protocol on the server, and configuration is not updated as expected. To avoid this problem, use only one change record to update the TLS configuration in cn=config. See the ldif(5) man page for a definition of a change record. (BZ#1524193)
Identity Management terminates connections unexpectedly
Due to a bug in Directory Server, Identity Management (IdM) terminates connections unexpectedly after a certain amount of time, and authentication fails with the following error:
kinit: Generic error (see e-text) while getting initial credentials
The problem occurs if you installed IdM on Red Hat Enterprise Linux 7.5 from an offline media. To work around the problem, run yum update to receive the updated 389-ds-base package which fixes the problem. (BZ#1544477)
Directory Server can terminate unexpectedly during shutdown
Directory Server uses the nunc-stans framework to manage connection events. If a connection is closed when shutting down the server, a nunc-stans job can access a freed connection structure. As a consequence, Directory Server can terminate unexpectedly. Because this situation occurs in a late state of the shutdown process, data is not corrupted or lost. Currently, no workaround is available. (BZ#1517383)
Здравствуйте!
Не могу понять где надо исправить. Пытаюсь настроить Linux сервер на доменную авторизацию согласно этого руководства.
Дошёл до п.8 и столкнулся с проблемой удаления обратных слешей между доменом и пользователем. Убедился что это связано с настройкой Kerberos.
krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = true
ticket_lifetime = 24h
default_keytab_name = /etc/squid/private/HTTP.keytab
allow_weak_crypto = true
forwardable = yes
[realms]
MYDOMAIN.LOCAL = {
kdc = lpn-srv-dc-01.mydomain.local
kdc = lpn-srv-dc-02.mydomain.local
admin_server = lpn-srv-dc-01.mydomain.local
default_domain = mydomain.local
}
[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[login]
krb4_convert = true
krb4_get_tickets = falseПри проверке авторизации командой:
# kinit my.user@MYDOMAIN.LOCAL
Password for my.user@MYDOMAIN.LOCAL:Всё отрабатывает:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: my.user@MYDOMAIN.LOCAL
Valid starting Expires Service principal
26.07.2017 16:56:23 27.07.2017 02:56:23 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 27.07.2017 16:56:20Если же авторизуюсь как в п.8 инструкции, то натыкаюсь на следующее:
# kinit "MYDOMAINmy.user"
kinit: Client 'MYDOMAINmy.user@MYDOMAIN.LOCAL' not found in Kerberos database while getting initial credentials
# kinit "MYDOMAIN\my.user"
kinit: Client 'MYDOMAINmy.user@MYDOMAIN.LOCAL' not found in Kerberos database while getting initial credentials
# kinit "MYDOMAIN.LOCAL\my.user"
kinit: Client 'MYDOMAIN.LOCALmy.user@MYDOMAIN.LOCAL' not found in Kerberos database while getting initial credentialsТо есть удаляются слеши и не определяется в таком написании домен. Понимаю, что где-то это должно настраиваться, но никак не могу найти где.
0
1
Здравствуйте.Есть проблема получения билета kerberos администратора домена admin@MY.DOM через файл keytab.
Сначала я добавил ключ для admin в keytab c помощью ktutil
выполнив
root@servfripa:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: addent -password -p admin@MY.DOM -k 1 -e aes256-cts
после этого ввел по запросу пароль
затем я сохранил его в файле /etc/krb5.keytab
root@servfripa:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/servfripa.my.dom@MY.DOM
2 1 admin@MY.DOM
ktutil: rkt /etc/krb5.keytab
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/servfripa.my.dom@MY.DOM (aes256-cts-hmac-sha1-96)
2 1 admin@MY.DOM (aes256-cts-hmac-sha1-96)
ktutil:
Проблема в следующем.
что когда я делаю
и ввожу пароль вручную я получаю билет
Но если я делаю
то получаю ошибку
kinit: Preauthentication failed while getting initial credentials
не могу понять в чем делу так как когда заводил запись в keytab я ввел правильный пароль тк он очень простой для теста
вот подробный вывод
root@servfripa:~# KRB5_TRACE="/dev/stdout" kinit -f admin@MY.DOM -k
[2350] 1626851868.893962: Getting initial credentials for admin@MY.DOM
[2350] 1626851868.903866: Looked up etypes in keytab: aes256-cts
[2350] 1626851868.904208: Sending request (159 bytes) to MY.DOM
[2350] 1626851868.904791: Initiating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.905166: Sending TCP request to stream 192.168.0.20:88
[2350] 1626851868.911604: Received answer (284 bytes) from stream 192.168.0.20:88
[2350] 1626851868.911656: Terminating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.911899: Response was from master KDC
[2350] 1626851868.912014: Received error from KDC: -1765328359/Additional pre-authentication required
[2350] 1626851868.912099: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[2350] 1626851868.912114: Selected etype info: etype aes256-cts, salt "ZuWWT&U'8N#HhF<", params ""
[2350] 1626851868.912157: Received cookie: MIT
[2350] 1626851868.912183: PKINIT client has no configured identity; giving up
[2350] 1626851868.912255: Preauth module pkinit (147) (info) returned: 0/Success
[2350] 1626851868.912298: PKINIT client has no configured identity; giving up
[2350] 1626851868.912313: Preauth module pkinit (16) (real) returned: 22/Недопустимый аргумент
[2350] 1626851868.912326: PKINIT client has no configured identity; giving up
[2350] 1626851868.912334: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент
[2350] 1626851868.912347: PKINIT client has no configured identity; giving up
[2350] 1626851868.912356: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент
[2350] 1626851868.912434: Retrieving admin@MY.DOM from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Succ
ess
[2350] 1626851868.912489: AS key obtained for encrypted timestamp: aes256-cts/1735
[2350] 1626851868.912588: Encrypted timestamp (for 1626851868.911708): plain 301AA011180F32303231303732313037313734385AA1050
2030DE95C, encrypted 61DB80C38CB72434C69FD73CD4CC642F16B20299A928E67E3FBD8DAEEC449304F08FE5CEF9AA5E3129A18E141B678192E341086
C5A722FEC
[2350] 1626851868.912607: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[2350] 1626851868.912614: Produced preauth for next request: 133, 2
[2350] 1626851868.912632: Sending request (252 bytes) to MY.DOM
[2350] 1626851868.912736: Initiating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.912926: Sending TCP request to stream 192.168.0.20:88
[2350] 1626851868.922303: Received answer (284 bytes) from stream 192.168.0.20:88
[2350] 1626851868.922353: Terminating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.922463: Response was from master KDC
[2350] 1626851868.922635: Received error from KDC: -1765328360/Preauthentication failed
[2350] 1626851868.922667: Preauth tryagain input types: 16, 14, 14, 136, 19, 147, 2, 133
kinit: Preauthentication failed while getting initial credentials
root@servfripa:~#
что может быть не так?
From Authentication Tools for Joomla! (JAuthTools)
Jump to: navigation, search
This page documents some solutions for common Kerberos issues. It isn’t comprehensive but should give you a guide what to look for when resolving the issues.
Contents
- 1 Known Errors and Resolutions
- 1.1 kinit(v5): KRB5 error code 68 while getting initial credentials
- 1.2 kinit(v5): Permission denied while getting initial credentials
- 1.3 Client not found in Kerberos database
- 1.4 kinit(v5): Preauthentication failed while getting initial credentials
- 1.5 kinit(v5): Key table entry not found while getting initial credentials
- 1.6 krb5_get_init_creds_password() failed: Clock skew too great
- 1.7 failed to verify krb5 credentials: Server not found in Kerberos database
- 1.8 gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)
- 1.9 gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt)
- 1.10 gss_accept_sec_context() failed: Miscellaneous failure (Key version number for principal in key table is incorrect)
- 1.11 Issues with mapuser
- 1.12 IE prompts for a password on each access
- 2 Unknown responses
- 2.1 krb5_get_init_creds_password() failed: KDC reply did not match expectations
- 2.2 Specified realm `OTHER.REALM.NAME’ not allowed by configuration
- 2.3 KDC has no support for encryption type
Known Errors and Resolutions
kinit(v5): KRB5 error code 68 while getting initial credentials
Wrong Kerberos domain, check that the Linux box is configured to use the right domain.
kinit(v5): Permission denied while getting initial credentials
Check the permission on your keytab file to ensure that the process can get access to it appropriately.
Client not found in Kerberos database
- kinit(v5): Client not found in Kerberos database while getting initial credentials
- krb5_get_init_creds_password() failed: Client not found in Kerberos database
Make sure that you’re typing in the right name and the server has the right name (double check the account tab of the user, especially the realm)
kinit(v5): Preauthentication failed while getting initial credentials
Wrong password — use the right password. This may also occur with keys and a buggy version of ktpass.exe, some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see Microsoft KB 919557)
kinit(v5): Key table entry not found while getting initial credentials
Regenerate keytab file and make sure that your file is correct.
krb5_get_init_creds_password() failed: Clock skew too great
- failed to verify krb5 credentials: Clock skew too great
Time between HTTP server and Kerberos server is too big; alternatively may also indicate a client issue. Check that you have NTP setup properly, using the KDC as the primary NTP server.
failed to verify krb5 credentials: Server not found in Kerberos database
Check the default_realms to ensure there is a proper mapping, also check that the host/FQDN@REALM entry exists.
gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)
Check default_realms to ensure there is a domain mapping. Check the keytab file (klist -k /etc/krb5.keytab or similar) to ensure that the appropriate domain is present. Also ensure that your hostname is the FQDN of the machine.
gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt)
Check that the site is in the local domain for IE’s security settings; likely an NTLM token is being sent, see IE not correctly identifying sites in the intranet to help resolve this issue.
gss_accept_sec_context() failed: Miscellaneous failure (Key version number for principal in key table is incorrect)
Wrong key version is being used. Check the key on the server (kinit -k PRINCIPAL) and also restart any client to clear their local cache or restart the server to clear its cache. kerbtray.exe can also delete old tickets. Also note that some versions of ktpass.exe had issues generating keys (Windows 2003 SP1) so upgrading to the latest release should fix this (see http://support.microsoft.com/kb/919557 Microsoft KB 919557])
Issues with mapuser
AD may or may not have had time to properly replicate the user to all DC’s. Ensure that the DC you’re querying is the same as the one you created the user to avoid this as much as possible.
IE prompts for a password on each access
From Windows Authentication and ASP.Net:
Internet Explorer security settings must be configured to enable Integrated Windows authentication. By default, Integrated Windows authentication is not enabled in Internet Explorer 6. To enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.’
Alternatively this may be an issue with the site not being in the intranet zone. IE won’t send authentication details automatically to sites that aren’t located within the intranet zone. See IE not correctly identifying sites in the intranet for more information.
Unknown responses
krb5_get_init_creds_password() failed: KDC reply did not match expectations
See http://mailman.mit.edu/pipermail/kerberos/2007-November/012585.html
Specified realm `OTHER.REALM.NAME’ not allowed by configuration
Another realm is trying to authenticate against the server than is permissable by the servers configuration. This could point to a mismatch between the servers configured realm and the actual realm of the user or the fact that there are multiple realms available and only one configured.
KDC has no support for encryption type
Would indicate that the KDC doesn’t like the encryption protocols being used. If you’re not using the MIT implementation (e.g. Hiemdal) see if switching to MIT works.