Re: More Info Re: Kerberos on OpenBSD

[Dan Brosemer <odin@svartalfheim.net>]

On Tue, Mar 12, 2002 at 01:57:28PM -0800, David S. wrote:
> On Tue, Mar 12, 2002 at 11:52:56AM -0500, Dan Brosemer wrote:
> > odin@obiwan:p4[~]$ passwd -k      
> > Old password for odin@CLEANNORTH.ORG:
> > Kerberos error: Can't send request (send_to_kdc)
> You want "passwd -K", unless you're using Kerberos IV.  From the 'passwd'
> man page:

Thanks very much.  I must have missed that in my frustration.  I also had to
change my /etc/hosts to map the non-lo0 ip of this machine to my hostname
(presumably so it is matched with the DNS).

> If you want to use AFS with Kerberos V, you'll need to configure 
> Kerberos IV compatiblity.  That's documented in the Heimdal manual:
> 	http://www.pdc.kth.se/heimdal/heimdal.html

Thanks.  I think I've done that, but I'll get to testing it in a bit.

> NetBSD (which uses Heimdal, just like OpenBSD) has some good instructions
> for setting-up a Kerberos V domain:
> 	http://www.netbsd.org/Documentation/network/#kerberos

Thanks again.

Two more questions...

First, when I ssh into the kdc machine, it generates some kerberos log
messages but doesn't issue me any ticket. (messages at the end of this
email)

And, second, can I do something like map my user account 'odin' to
'odin@CLEANNORTH.ORG' and attempt to authenticate with my password there for
things like ssh and console logins?  This seems possible (actually, it seems
like it should work by default... login.conf contains 'krb5-or-pwd'.  I'm
having no luck with that, though).

I've added these lines to sshd_config:
KerberosAuthentication yes
KerberosOrLocalPasswd yes

when I log in, I see this:
odin@thor:p2[~]$ ssh obiwan
odin@obiwan.cleannorth.org's password: 
odin@obiwan:p7[~]$ klist
klist: No ticket file: /tmp/krb5cc_1000

v4-ticket file: /tmp/tkt1000
klist: No ticket file (tf_util)
odin@obiwan:p7[~]$ kinit                                
odin@CLEANNORTH.ORG's Password: 
odin@obiwan:p7[~]$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: odin@CLEANNORTH.ORG

  Issued           Expires          Principal                         
Mar 13 01:01:18  Mar 13 11:01:18  krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG
Mar 13 01:01:18  Mar 13 11:01:18  krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG

v4-ticket file: /tmp/tkt1000
Principal:      odin@CLEANNORTH.ORG

  Issued           Expires          Principal                         
Mar 13 01:01:18  Mar 13 11:01:18  krbtgt.CLEANNORTH.ORG@CLEANNORTH.ORG

and this is generated in /var/heimdal/kdc.log immediately when I log in
(before the kinit):

2002-03-13T00:56:24 AS-REQ odin@CLEANNORTH.ORG from IPv4:192.168.15.2 for
krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG
2002-03-13T00:56:24 TGS-REQ odin@CLEANNORTH.ORG from IPv4:192.168.15.2 for
host/obiwan.cleannorth.org@CLEANNORTH.ORG

this is generated in the same log file by kinit:

2002-03-13T01:01:18 AS-REQ odin@CLEANNORTH.ORG from IPv4:192.168.15.2 for
krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG
2002-03-13T01:01:18 TGS-REQ odin@CLEANNORTH.ORG from IPv4:192.168.15.2 for
krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG
2002-03-13T01:01:18 524-REQ odin@CLEANNORTH.ORG from IPv4:192.168.15.2 for
krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG

Thanks in advance (again)

-Dan

-- 
"Burnished gallows set with red
 Caress the fevered, empty mind
 Of man who hangs bloodied and blind
 To reach for wisdom, not for bread."  -- Deoridhe Grimsdaughter