Re: pamkrbval: KDC policy rejects request for this entry
- From: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>
- Date: Wed, 27 Aug 2008 19:30:32 +0100
Can you check that AD and your HP system are time synchronised ? Can you do a kinit unix_client with the correct password ? Do you have the kvno binary on the HP platform ? If so can you do a kvno host/unix_client.domain.host.com and compare the number with the one in the keytab ?
Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?
Regards
Markus
<ricurtis@xxxxxxxxx> wrote in message news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have tried everyones suggestions, but no joy - although I think I
can narrow down the problem somewhat...
After changing the default_t*_enctypes to be "RC4-HMAC" (and also
removing the lines altogether), I still get the same error...
In the Windows security log on the domain controller, I have a Failure
Audit with a result code from the request of 0xC which from some
searching at Microsoft suggests:
Requested start time is later than end time
or Workstation login restrictions..
entry "till: 1970-01-01 00:00:00 (UTC)"From a packet capture using Wireshark, the AS-REQ packet there is an
It looks as though the requested lifetime of the packet here is in the
past...
Any suggestions around that?
Regards
Richard
On 26 Aug, 20:32, "Richard Curtis" <ricur...@xxxxxxxxx> wrote:
According to the HP release notes (I have Kerberos Client C.1.3.5.05):
The client libraries are based on MIT Kerberos V5 1.3.5 release. The
KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
RFC 1510 of the IETF. This release of Kerberos Client is interoperable
with Microsoft Windows 2000 and 2003.
I will try tomorrow when I am back in the office by setting the
default_*_enctypes to RC4-HMAC... the strange thing is, the HP
configuration guide I am following has a sample krb5.conf and only
mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
is no mention of RC4 in the whole document.
I will try removing default_*_enctypes altogether aswell, and failing
that, will have a go with DEC encryption only..
If this turns out to be the solution, I will be over the moon... this
has been dragging on for some time :)
I will post back tomorrow with my results.. thanks for the replies so far guys.
Regards
Richard
On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua...@xxxxxxxxxxxxxxxx> wrote:
> Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your > configuration
> assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based > on
> MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be > DES
> only. Secondly did you change the password of the unix_client user ? If > not
> please try to change the password once and re-extract the keytab.
> Markus
> "Richard Curtis" <ricur...@xxxxxxxxx> wrote in message
>news:5745a7060808261135s26134f5bg495452c33920af1f@xxxxxxxxxxxxxxxxx
>> Hi,
>> I am trying to get an HPUX 11i box to authenticate against our
>> active directory (Windows 2003r2) domain with kerberos but I am
>> getting nowhere fast.
>> As per the docs I have, I have created a user account in active
>> directory, then used "ktpass -princ
>> host/unix_client.domain.host....@xxxxxxxxxxxxxxx -mapuser unix_lient
>> -pass <pass> -out c:\krb5.keytab"
>> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
>> keep getting "KDC policy rejects request for this entry"
>> I am guessing this is more of a Windows/AD config issue, but thougt
>> someone here might have seen this?
>> cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = DOMAIN.HOST.COM
>> default_tgs_enctypes = DES-CBC-CRC
>> default_tkt_enctypes = DES-CBC-CRC
>> ccache_type = 2
>> ticket_liftetime = 24000
>> #dns_lookup_kdc = true
>> [realms]
>> DOMAIN.HOST.COM = {
>> kdc = 2003_dc.domain.host.com
>> kpasswd_server = 2003_dc.domain.host.com:464
>> }
>> [domain_realm]
>> domain.host.com = DOMAIN.HOST.COM
>> .domain.host.com = DOMAIN.HOST.COM
>> [logging]
>> default = FILE:/var/adm/krb5lib.log
>> kdc = FILE:/var/adm/krb5kdc.log
>> admin_server = FILE:/var/adm/kKDCmind.log
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>> unix_client:/var/adm/syslog >pamkrbval -v
>> Validating the pam configuration files
>> ---------- --- --- ------------- -----
>> Validating the /etc/pam.conf file
>> [LOG] : The /etc/pam.conf files permissions are fine
>> [LOG] : Opened : /etc/pam.conf
>> [PASS] : The validation of config file: /etc/pam.conf passed
>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not >> done
>> as libpam_updbe library is not configured
>> Validating the kerberos config file
>> ---------- --- -------- ------ -----
>> [PASS] : Initialization of kerberos passed
>> Connecting to default Realm
>> ---------- -- ------- -----
>> [LOG] : The default realm is : DOMAIN.HOST.COM
>> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
>> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
>> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
>> [PASS] : Default Realm is issuing tickets
>> Validating the keytab entry for the host service principal
>> ---------- --- ------ ----- --- --- ---- ------- ---------
>> [LOG] : Host unix_client, aka unix_client.domain.host.com.
>> [LOG] : The default keytab name is : /etc/krb5.keytab
>> [LOG] : Keytab file /etc/krb5.keytab is present
>> [LOG] : Permissions on /etc/krb5.keytab are correct.
>> Keytab entry
>> Principal: host
>> Host : unix_client.domain.host.com
>> Realm : DOMAIN.HOST.COM
>> Version : 23
>> [LOG] : Pinging KDC to verify whether
>> host/unix_client.domain.host....@xxxxxxxxxxxxxxx exists
>> pamkrbval: KDC policy rejects request for this entry
>> [WARNING] : The keytab entry for the host service principal
>> host/unix_client.domain.host....@xxxxxxxxxxxxxxx is invalid
>> [FAIL] : The keytab validation failed
>> Validating the rc_host file for ownership
>> -------- ------ ---- -------- ------ -----
>> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
>> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>> unix_client:/var/adm/syslog >ktutil -i
>> ktutil: rkt /etc/krb5.keytab
>> ktutil: list
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 23 host/unix_client.dom...@xxxxxxxxxxxxxxx
>> ktutil:
>> ktutil: unix_client:/var/adm/syslog >
>> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
>> host/unix_client.domain.host.com
>> kinit(v5): KDC policy rejects request while getting initial credentials
>> Thanks in advance for any help
>> Regards
>> Richard
>> ________________________________________________
>> Kerberos mailing list Kerbe...@xxxxxxx
>>https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list Kerbe...@xxxxxxx
>https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
- Show quoted text -
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- References:
- Re: pamkrbval: KDC policy rejects request for this entry
- From: ricurtis
- Re: pamkrbval: KDC policy rejects request for this entry
- Prev by Date: Re: Using GSSAPI to Authenticate to AD
- Next by Date: Re: pamkrbval: KDC policy rejects request for this entry
- Previous by thread: Re: pamkrbval: KDC policy rejects request for this entry
- Next by thread: Re: pamkrbval: KDC policy rejects request for this entry
- Index(es):
Relevant Pages
|
