2

I am now configuring KDC client and server. My goal is to login to KDC server from KDC client using user1 without password prompt.

However, although I have below configuration, password prompt still comes us when I login from KDC client. Could someone give me advice what went wrong with my configuration?

Client and Server

KDC Client : server1.ywlocal.net (RHEL 7.3)
KDC Server : server2.ywlocal.net (RHEL 7.3)

/etc/hosts

On server1.ywlocal.net :

[root@server1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.11.11 server1.ywlocal.net
192.168.11.12 server2.ywlocal.net

On server2.ywlocal.net:

[root@server2 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.11.11 server1.ywlocal.net
192.168.11.12 server2.ywlocal.net

List of principals

[root@server1 ~]# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/[email protected]: 
kadmin:  list_principals
K/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
root/[email protected]
[email protected]

keytab file on client side created by ktadd host/server1.ywlocal.net

[root@server1 ~]# ls -ltr /etc/krb5.keytab 
-rw-------. 1 root root 658 Jan  4 08:18 /etc/krb5.keytab

Client side TGT list

[user1@server1 ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: [email protected]

Valid starting       Expires              Service principal
01/04/2017 08:25:34  01/05/2017 08:25:34  krbtgt/[email protected]

ssh result

[user1@server1 ~]$ ssh server2.ywlocal.net
[email protected]'s password:

Client and Server Side ssh configuration

[root@server1 ~]# egrep "GSSAPIAuthentication|GSSAPIDele"     /etc/ssh/ssh_config 

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

[root@server2 ~]# egrep "GSSAPIAuthentication|KerberosAuthentication" /etc/ssh/sshd_config 

KerberosAuthentication yes
GSSAPIAuthentication yes

Client side krb.conf

[root@server1 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = server2.ywlocal.net
  admin_server = server2.ywlocal.net
  default_domain = ywlocal.net
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

ssh client side debug log

debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server krbtgt/[email protected] not found in Kerberos database

debug2: we sent a gssapi-with-mic packet, wait for reply
Yu Watanabe
  • 175
  • 1
  • 1
  • 7
  • Can you add the contents of `/etc/krb5.conf` on the client? – jayhendren Jan 04 '17 at 00:15
  • @jayhendren Thanks for the comment . I have checked the client side ssh debug log and looks like something is wrong with the ticket sent to server side. I see this in the principal "[email protected]". This should be "[email protected]" . I assume that client side is not referring to the ticket I have initiated. – Yu Watanabe Jan 04 '17 at 00:29
  • Actually, that is correct. The client's `/etc/krb5.keytab` should contain the host principals corresponding to the client. – jayhendren Jan 04 '17 at 00:35
  • If you're SSH'ing as `[email protected]` from one host on the `EXAMPLE.COM` domain to another host on that domain, then you should `kinit [email protected]` and then `ssh [email protected]`. – jayhendren Jan 04 '17 at 00:36
  • @jayhendren I got it working . I had to change all the domains in realm from EXAMPLE.COM to YWLOCAL.NET , which is my network domain. I was confused with this. Configuration files I changed was /etc/krb5.conf, /var/kerberos/krb5kdc/kdc.conf, kadm5.acl on server side and /etc/krb5.conf on client side. Thanks for the help! – Yu Watanabe Jan 04 '17 at 23:57

0 Answers0