[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal telnetd in Solaris: IPV6 problems?

Love writes: 

Thank you very much for answering. 

> fsmunoz@gesal.org writes: 
> 
>> [ Trying mutual KERBEROS5 (host/ciscokid.net.itlog.pt@NET.ITLOG.PT)... ]
>> [ Kerberos V5 refuses authentication because krb5_sock_to_principal failed ]
> 
> Heimdal tries to figure out the hostname by looking up to what address the
> incomming address the connection was  to, if this failes you'll get an error
> like the above. 
> 
> Can you check if the name in /etc/hosts matches the name of the keytab
> entry you have ?
 

I'll try to provide as much information as possible, I hope it's not 
overkill :) 


I have a DNS server under my control that answers all the requests for my 
domain (which is the same as the kermeros realm and the AFS cell). I never 
had a provlem with the resolving of the hosts, since  most machines don't 
even have an entry (except for themselves). 

This is the keytab in the problematic server: 

 ------
FILE:/etc/krb5.keytab: 

Vno  Type           Principal
 1  des-cbc-crc    host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md4    host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md5    host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des3-cbc-sha1  host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-crc    ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md4    ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md5    ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des3-cbc-sha1  ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT 

krb4:/etc/srvtab: 

Vno  Type         Principal
 1  des-cbc-md5  host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md4  host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-crc  host/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md5  ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-md4  ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT
 1  des-cbc-crc  ftp/ciscokid.net.itlog.pt@NET.ITLOG.PT
 ------- 

I can actually get a ticket fot that host after a failed telnet: 

 ------
[root@alioth:/afs/isk.kth.se]# telnet ciscokid.net.itlog.pt
Trying 193.126.68.31...
Connected to ciscokid.net.itlog.pt.
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Trying mutual KERBEROS5 (host/ciscokid.net.itlog.pt@NET.ITLOG.PT)... ]
[ Kerberos V5 refuses authentication because krb5_sock_to_principal failed ]
[ Trying KERBEROS5 (host/ciscokid.net.itlog.pt@NET.ITLOG.PT)... ]
[ Kerberos V5 refuses authentication because krb5_sock_to_principal failed ]
[ Trying mutual KERBEROS4 (rcmd.ciscokid@NET.ITLOG.PT) ... ]
[ Kerberos V4 refuses authentication because No local V4 Realm. ]
[ Trying KERBEROS4 (rcmd.ciscokid@NET.ITLOG.PT) ... ]
[ Kerberos V4 refuses authentication because No local V4 Realm. ] 

Authentication negotation has failed,
which is required for encryption.
[root@alioth:/afs/isk.kth.se]# klist
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: root@NET.ITLOG.PT 

 Issued           Expires          Principal
Mar 19 13:05:06  Mar 19 23:05:06  krbtgt/NET.ITLOG.PT@NET.ITLOG.PT
Mar 19 13:05:06  Mar 19 23:05:06  krbtgt/NET.ITLOG.PT@NET.ITLOG.PT
Mar 19 13:05:06  Mar 19 23:05:06  afs/net.itlog.pt@NET.ITLOG.PT
Mar 19 13:05:24  Mar 19 23:05:06  host/ciscokid.net.itlog.pt@NET.ITLOG.PT 

  V4-ticket file: /tmp/tkt0
       Principal: root@NET.ITLOG.PT 

 Issued           Expires          Principal
Mar 19 13:05:06  Mar 19 23:05:06  krbtgt.NET.ITLOG.PT@NET.ITLOG.PT
Mar 19 13:05:24  Mar 19 23:05:24  rcmd.ciscokid@NET.ITLOG.PT
 ----------- 

I'm doing this as root but the same applies for every other user. Actually 
it will work for every user except root after everything is set up. 


Now, I don't have an entry in /etc/hosts, BUT the hostname does resolve 
(both normal and reverse lookups).
I have a trace done with ethereal but when saved as tcpdump but it's a bit 
too terse to paste here.Basically all seems to go normally (I've compared it 
with a trace of a successfull session): the client has a long talk with the 
DNS server, trying variuos options of _kerberos and receiving the 
_kerberos._udp one as the only correct. It then does a reverse lookup, etc. 
Telnet packets start to appear and it then obtains a ticket, with the 
correct principal as listed above. The telnet fails with the 
"krb5_sock_to_principal failed" error. Now, I'm not sure it has anything to 
do with IPv6... the machine which I'm trying to access is also the mentioned 
DNS server of the subnet, I don't know if this makes a difference. 

One insteresting note: ftp works, but ONLY if I use the FQDN of the server. 
If I only use the hostname it gives me an error (Error importing name 
ftp@ciscokid: unable to find realm of host ciscokid). Likewise if I use 
telnet only with the hostname it doesn't even try to get K5 tickets, goes 
straight to K4. *This is only with the clients compiled in the same machine 
I'm having troubles with the server*, i.e. is I use any other machine to ftp 
into ciscokid using only the hostname it works as expected (telnet still 
fails, of course, with the "krb5_sock_to_principal failed"). 

To be quite honeste I'm a bit lost here... The only differences in this 
machine are the fact that is uses Solaris 8, the inetd.conf is differente in 
that it has a tcp6 protocol definition that can be used and that the machine 
is the DNS server. 

I will gladly provide any aditional info if required, or test any possible 
solution. If someone has working kerberized services in Solaris 8/UltraSPARC 
please share your magic ;) 


Best Regards 

fsmunoz