> I configured the following in krb5.conf and now at least get
prompted
> for a password and kinit works!:
> [libdefaults]
> dns_lookup_kdc = no
> dns_lookup_realm = no
>
> klist
> Ticket cache: API:krb5cc
> Default principal: ouruser(a)OURDOMAIN.EDU <mailto:ouruser@OURDOMAIN.EDU>
>
> Valid starting Expires Service principal
> 03/18/21 15:17:43 03/19/21 15:17:39 krbtgt/OURDOMAIN.EDU(a)OURDOMAIN.EDU
> <mailto:OURDOMAIN.EDU@OURDOMAIN.EDU>
I don't know why mac/Windows isn't working. It doesn't look like it is
even trying GSSAPI.
Some progress. On Windows if I download and install MIT Kerberos and log in
with a user, I can use Putty for password-less login. Note Putty needs to
be a recent version, e.g., 0.74.
I also got a Mac client to work. After adding the krb5.conf file into
/etc/krb5.conf, and running kinit I can run ssh -K and voila.
Using another Windows SSH client, e.g., MobaXterm (version 20 or later with
GSSAPI Kerberos checked in SSH settings), I also had to fill in the Domain:
field and use the "Native Windows" option:
[image: image.png]
However when testing, the various kinit attempts from a client generates
the below tickets that appear to be expired.
klist
Ticket cache: KCM:0:59081
Default principal: host/ouserver.edu(a)OURSERVER.EDU
Valid starting Expires Service principal
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
12/31/69 19:00:00 12/31/69 19:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
We are on freeipa-server-4.9.2-4.fc33.x86_64 with kernel-5.11.11-200
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
The logs that I see related to this user in krb5.conf, with debug enabled
are:
Apr 07 14:03:39
ourdomain.edu krb5kdc[1350528](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 150.108.68.55: ISSUE:
authtime 1617818619, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
ouruser(a)ourdomain.EDU for rbtgt/ourdomain.EDU(a)ourdomain.EDU
Apr 07 14:03:39
ourdomain.edu krb5kdc[1350528](info): closing down fd 11
Apr 07 14:03:44
ourdomain.edu krb5kdc[1350531](info): TGS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 150.108.68.55: ISSUE:
authtime 1617818619, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
ouruser(a)ourdomain.EDU for host/ourdomain.edu(a)ourdomain.EDU
Apr 07 14:03:44
ourdomain.edu krb5kdc[1350531](info): closing down fd 11
Apr 07 14:03:44
ourdomain.edu krb5kdc[1350531](info): TGS_REQ (1 etypes
{aes256-cts-hmac-sha1-96(18)}) 150.108.68.55: ISSUE: authtime 1617818619,
etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, ouruser(a)ourdomain.EDU for
krbtgt/ourdomain.EDU(a)ourdomain.EDU
So what causes those "expired" tickets? These "clients" I'm
testing are a
Windows desktop and a Mac, so their hostnames aren't added a la a
freeipa-client.