[31846] in Kerberos
Re: openssh + kerberos + windows ad
daemon@ATHENA.MIT.EDU (Javier Palacios)
Mon Jan 4 12:41:11 2010
MIME-Version: 1.0
In-Reply-To: <b0ab74af1001040817k40b39128le6d629db3614acc5@mail.gmail.com>
Date: Mon, 4 Jan 2010 18:41:04 +0100
Message-ID: <a64bf031001040941o15cd7d98vf9214115a1ce2425@mail.gmail.com>
From: Javier Palacios <javiplx@gmail.com>
To: Marcello Mezzanotti <marcello.mezzanotti@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> login as: mmezzanotti
> Using keyboard-interactive authentication.
> Password:
> Last login: Wed Dec 30 14:00:19 2009 from localhost
> Have a lot of fun...
> mmezzanotti@os112:~> ls
> bin Documents Music Public Templates
> Desktop Download Pictures public_html Videos
> mmezzanotti@os112:~> klist
> Ticket cache: FILE:/tmp/krb5cc_10002_b8QDZx
> Default principal: mmezzanotti@VMWARELAB.INT
>
> Valid starting Expires Service principal
> 01/04/10 13:58:36 01/04/10 23:58:37 krbtgt/VMWARELAB.INT@VMWARELAB.INT
> renew until 01/05/10 13:58:36
I'm not sure if you are actually testing ticket authentication, but
just kerberos password authentication (by far much easier).
To actually check what you want, I recommend you start working just on
the linux node, and enter as whichever user. then
# kinit mmezzanotti
# ssh mmezzanotti@os112
If it does ask you for password, then credential authentication is not
working. And depending if your TGT was proxyable or not, you might
even end with void output from klist.
Someone answered about the need of a host keytab to achieve this. As
far as I remember that is not mandatory for linux (or wasn't for a
debian in 2004), but take into account.
> mmezzanotti@os112:~> ssh -vvv mmezzanotti@os112.vmwarelab.int
>
Try adding 'debug' to all pam.d lines on kerberos. That will produce a
much less verbose and hopefully more useful info.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
