kerberos problems

Loren M. Lang lorenl at alzatex.com
Sun Mar 13 13:56:11 PST 2005 

On Sun, Mar 13, 2005 at 05:30:09PM -0000, martinmcc at orbweavers.co.uk wrote:
> > On Sun, Mar 13, 2005 at 03:38:46PM -0000, martinmcc at orbweavers.co.uk
> > wrote:
> >>    I followed the handbook guide to setting it up, and it all seems to
> >> be
> >> working ok. I have now setup telnetd as described to test how it is
> >> working. If I have done a kinit previously, it will log in no problem,
> >> but if I do not do a kinit (or do a kdestroy before hand) I get -
> >>
> >> kerberos V5: mk_req (No Such File or direcotry).
> >>
> >>    Any ideas?
> >
> > That sounds like it's working normally. Without a valid ticket (as shown
> > by `klist`), which is cached in a file, services like telent which use
> > Kerberos won't authenticate you.
> >
> > If I'm misunderstanding the problem you're describing, please add some
> > more detail as to what you expected to have happen and how reality
> > differed :-)
> >
> Yeah, it could well be the way it is supposed to work. Basically I want to
> end up with a centralised login system for my network (i.e. no need to
> create usernames on each client). I am planning to use ldap for this, and
> as I understand it ldap can use kerberos for the authentication aspect. So
> I am atm trying to make sure I have a good understanding of the kerberos
> system and have it up and running before I tackle the next part.
> 
> what I was assuming would happen when I try to telnet in without a ticket
> (i.e. with running kinit) was that I would get asked for a
> username/password, and then I would get issued a ticket, rather than
> manually having to kinit first.

I believe the difference is that kinit is used to get kerberos
credentials after you have logged on by some other means.  If you use
pam_krb5, then it will be using the kerberos for authentication instead
of the local passwd file and also save the credentials.

The way your currently doing it the local system still will need the
user and passwd to log them in before they can run kinit, with pam_krb5
this can be avoided.

> 
> How would this affect using pam to authenticate i.e. if I want to use
> pam_krb to login to the console, I would not be able to run kinit before
> hand?
> 
> [Apologies for sending this to you twice tillman , need to be more careful
> with the reply to button :)]
> 
> Cheers,
> Martin
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
I sense much NT in you.
NT leads to Bluescreen.
Bluescreen leads to downtime.
Downtime leads to suffering.
NT is the path to the darkside.
Powerful Unix is.

Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: CEE1 AAE2 F66C 59B5 34CA  C415 6D35 E847 0118 A3D2
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050313/6b61ef56/attachment.bin

More information about the freebsd-questions mailing list