Problems with Kerberos and realms

UNIX AIX
1

I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it.

AIX 7.1, and while I found various docs on the subject, a lot of them are different. That said, I've tried various methods without success. As it sits, the packages are installed, the krb5.conf file is populated with the usual info, the new keytab is merged with krb5.keytab, I've tried various enctypes (based on different docs) etc. When I do anything at all, the logs remain empty, although they exist.

When I try to generate a ticket, below is the result.

#/usr/krb5/bin/kinit PassLine@HDQ.123.COM
Password for PassLine@HDQ.123.COM:
root@ unused01 /etc
#/usr/krb5/bin/klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  PassLine@HDQ.123.COM

Valid starting     Expires            Service principal
10/21/13 11:21:52  10/21/13 21:22:10  krbtgt/HDQ.123.COM@HDQ.123.COM
        Renew until 10/21/13 21:21:52
root@ unused01 /etc
#/usr/krb5/bin/kinit PassLine@LDAP.123.COM
Unable to obtain initial credentials.
        Status 0x96c73adc - Cannot resolve network address for KDC in requested realm.

When I created a user and set authentication methods to KRB5files, I wasn't able to log in. The server is on ABC.123.com and it only seems to be able to hit HDQ.123.com (kinit fails against all domains except HDQ.) The AD admins asked me to use the LDAP.123.com alias.

I don't know if perhaps this is an issue with /etc/resolv.conf or if I have something outright wrong elsewhere.

Let me know what information is needed, and I'll provide it. I suppose I didn't want to clutter the OP with "unnecessary" config files and such, but will certainly post anything needed.

Thanks!

2

Looking at the output of the file, itseems you are not running the kinit against a user but instead a server.

But your klist is throwing you the right output.

Have you set the default stanza under

/etc/security/user for SYSTEM and registry  to KRB5LDAP?
have you edited the /etc/methods.cfg file to add the appropriate parameters?
3

I was merely running the test suggested by a variety of docs I'd come across. If there's another method to try, I'd certainly give it a whirl.

As for /etc/security/user, yes, it shows KRB5files for system/registry for the test users.

PassLine:
        admin = false
        registry = KRB5files
        SYSTEM = "KRB5files"
        auth_name = "123.COM"

methods.cfg has also been appended -

NIS:
        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64


DCE:
        program = /usr/lib/security/DCE

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,kadmind=no

KRB5files:
        options = db=BUILTIN,auth=KRB5
4

Hmm,
Since you are not using LDAP, I assume you need to modify as below

I had intregrated kerberos+LDAP (not a good combination) for one of my client back in 2011.

KRB5: 

 program = /usr/lib/security/KRB5

 program_64 = /usr/lib/security/KRB5_64

 options = is_kadmind_compat=no,authonly,tgt_verify=no    --> make sure you add this

KRB5LDA:

 options = auth=KRB5,db=BUILTIN
5

I tried tgt_verify=no before, but I tried again just to be sure - same error.

6

Have you checked the windows AD server (running kerberos) is behind the firewall?

telnet <AD server> 88, as kerberos service runs on port 88

I assume you have installed the below

# lslpp �L | grep krb5 

krb5.client.rte 1.5.0.1 C F Network Authentication Service 

krb5.client.samples 1.5.0.1 C F Network Authentication Service

krb5.lic 1.5.0.1 C F Network Authentication Service

Also, make sure you have the correct hostname

nslookup <AD server>

Ping it

ping <AD server>

Make sure you are changing setting correctly and restarting the service

like /etc/security/user,  /etc/methods.cfg etcc.,

Look at the system log file, where it is blocking the connecting, we need to know whether your local AIX is connecting to your AD server for authentication.

Some times the problem could be on AD.

Can you paste what command you are using to configure kerberos?

like your "mkkrb5clnt" command

mkkrb5clnt -r <YOUR DOMAIN NAME> -c <your windows AD server> -s <your windows AD server> -d <your domain name> -D  : note that after '-r' I have domain name in CAPS

Now run

/usr/krb5/bin/kinit <username>

followed by

/usr/krb5/bin/klist

, whats the output?

If you want to reinstall 'kerberos'

mkkrb5clnt -U, hit 'y' to unconfigure

Also, copy your /etc/security/user file for default stanza and your methods.cfg file

let me know once you are done with those.

Also, if you want to do it simple and straight, here is the IBM method of doing it.

https://www.ibm.com/developerworks/aix/library/au-aix_multiplekerberos/
7

If I telnet to ldap.123.com, it attempts to connect but gives a "remote host refused an attempted connect operation" error.

If I telnet to ldap.123.com:88, it cannot find it.

I do have those packages installed.

nslookup shows the correct hostname.

I can successfully ping it.

What services would I be restarting after changing?

mkkrb5clnt -c ldap.123.com -r 123.COM -s ldap.123.com -d 123.COM

(using caps where appropriate)

If I just use kinit <username> (not against any server) I get different responses.

#/usr/krb5/bin/kinit PassLine
Unable to obtain initial credentials.
        Status 0x96c73a44 - KRB5 error code 68.

(In that example, PassLine is a valid user within AD)

#/usr/krb5/bin/kinit testunix
Unable to obtain initial credentials.
        Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.

(In that example, testunix is a user created by the AD admin. The user is not locked out.)

---------------

I've reinstalled a few times, without change. I believe I've used that doc before, but maybe I'll wipe everything and try again.

8

Hmm,

When you use telnet you run

telnet ldap.123.com 88

Tell me the output of this

Also, I am seeing that the

mkkrb5clnt

syntax is not correctly followed, I specifically mentioned use caps for ONLY '-r' flag and also '-D' is missing.

Make sure you unconfigure 1st.

Also, play around, after you run the above configuration, if it still gives you error try the below

mkuser -R KRB5Afiles registry= KRB5Afiles SYSTEM= KRB5Afiles PassLine

Then try

kinit PassLine

I have no kerberos in my environment to check the different scenarios.

Let me know what it comes up with.

9

I was able to successfully telnet via ldap.123.com 88.

About the command syntax - some docs have used mkkrb5clnt, and others have used config.krb5 (the IBM doc you linked, for example, uses config.krb5.) Is there a reason to use one over the other?

I'll go ahead and unconfigure the current settings and rebuild it, but if I should be starting with one vs the other, it'd be helpful to understand why.

---------- Post updated at 01:39 PM ---------- Previous update was at 01:32 PM ----------

Also, because it may be helpful, this is what the AD admin ran on their end -

ktpass -princ host/testunix.ABC.123.com@123.COM -mapuser testunix -pass password -kvno 3 -out C:\some\folder\testunix.keytab

That's the keytab I merged with krb5.keytab. It appears, from the IBM doc, that ptype is missing. I don't know that they ran the ktpass.exe within the 123.com domain, but I can verify this.

10

Keep it simple, just follow the IBM doc, make sure you are following the proper syntax. Since you are just configuring Kerberos.

My Kerberos configuration was integrated with LDAP, it was so complex setup.

Just unconfigure and follow IBM steps.

11

Will do. I'm trying to arrange some time with the AD admin, because I'd like to create a new keytab and everything. Basically walk through the entire doc from a fresh perspective, because I'm tired of beating my head against a wall here :stuck_out_tongue:

12

I know how it feel like!

Also, look at the system logs, what error it is throwing.

/etc/syslog.conf, is the file to find out the location of log files.

Open a new terminal and run

tail -f <log file>

to view live logs.

Let me know what you finds out.