[32232] in Kerberos
kerberized telnet
daemon@ATHENA.MIT.EDU (Matt Zagrabelny)
Fri Apr 2 14:36:08 2010
From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: kerberos <kerberos@mit.edu>
Date: Fri, 02 Apr 2010 13:33:26 -0500
Message-ID: <1270233206.4868.1854.camel@grateful.d.umn.edu>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0964968220=="
Errors-To: kerberos-bounces@mit.edu
--===============0964968220==
Content-Type: multipart/signed; micalg="pgp-sha1";
protocol="application/pgp-signature";
boundary="=-uRKwGipXRoOMQ1Gp4bbq"
--=-uRKwGipXRoOMQ1Gp4bbq
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Greetings,
I am trying to debug a Kerberos setup with a MIT KDC/TGS and Cisco
Catalyst 3750. Things are progressing, but I've hit a wall.
Here is what I perform on my workstation:
$ kinit
$ telnet kplz354s2
Trying 10.25.1.14...
Will send login name and/or authentication information.
Connected to kplz354s2.d.umn.edu (10.25.1.14).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``mzagrabe@D.UMN.EDU'' ]
% Authentication failed
Connection closed by foreign host.
This may be a obvious question, but
does the "Kerberos V5 accepts you as ``blah''" come from the switch?
I am trying to cover all the bases here and the switch is definitely
reporting "Authentication failed", so I am wondering if it is also
reporting the "accepts you as" line as well.
I've performed some tcpdump/wireshark and didn't see anything that would
indicate that the switch believes me to be mzagrabe@D.UMN.EDU.
Also, for those who are cisco-nuts, here are the relevant configs from
the switch:
aaa new-model
!
aaa user profile mzagrabe@D.UMN.EDU
aaa user profile mzagrabe
!
aaa authentication attempts login 1
aaa authentication login telnet krb5-telnet
aaa authorization exec default if-authenticated=20
aaa authorization exec telnet if-authenticated=20
!
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
switch 1 provision ws-c3750-24ts
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
ip domain-name d.umn.edu
ip name-server 131.212.32.32
!
!
kerberos local-realm D.UMN.EDU
kerberos srvtab entry host/kplz354s2.d.umn.edu@D.UMN.EDU <stuff removed>
kerberos realm .d.umn.edu D.UMN.EDU
kerberos clients mandatory
kerberos server D.UMN.EDU 131.212.60.117
kerberos credentials forward
Thanks,
--=20
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 4096R/42A00942 2009-12-16
Fingerprint: 5814 2CCE 2383 2991 83FF C899 07E2 BFA8 42A0 0942
He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot
--=-uRKwGipXRoOMQ1Gp4bbq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABAgAGBQJLtjh1AAoJEAfiv6hCoAlC9ZsQAJ3klRp7Tfrbw1ZVVnqkdS7m
7bv8NUy92WUV7w1QbZnMmh5sSIYHPmNc5rfRCGXOe7rWE/+/ycCBRc7OIgFTENVV
qTZPpZ6en86mkcEVlLX4OevbDIUeajq14TD1RGI3chpwKzkyM4+gptlMVf9FOKjw
oW2Fm6myUXm0H8SvAv9IPoPSLg058rr/N6irOwg0VQprWFMw/oJpSAd+jR24ZFcG
ny/OSd1j6Nx1W9bfhGpsJyLDEzdRbZ433uzUtUCa/2EtjGgnP1qFN4u1NgR0kirq
HCDodcr04fvc8b9sDwa4AMp4IBR9J/WM6cdTAzm6U7enHwqrdGlPaiXxssuwPi8J
xrKel7yjqqlS/RrZ+W4YPsWvkrIV5AwmT+2nJp3VNUYhpf/++Mzqc3iYIM5KHr34
3EgxlQblbqSqq2SWkZcPNHocViODFFirpJUPyGNiczjevqvvq03bqpojdf47O0lD
HEeSYgqfbgY1UahorXupFvOeBe/cFGSeYDP/H5ZU+9YtUJ8qnTpKSJ2hdd95bDFr
gYsePes69Zp25fO+WpObJmB287TlPuv64uS34fA9E+Lc0B2CCq0p8/98p3bfVHh+
e7JPINZmjNHcQCWCc5wlELLyQiAwY89oG6vPuI4/suSVD58HOPO92nLqB3x+mNug
OZv4zLOpNnhewwLghgSq
=ZsDl
-----END PGP SIGNATURE-----
--=-uRKwGipXRoOMQ1Gp4bbq--
--===============0964968220==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0964968220==--