Date: Fri, 26 Jun 1998 09:46:02 +0300 (EEST) From: Narvi <narvi@haldjas.folklore.ee> To: Ludwig Pummer <ludwigp@bigfoot.com> Cc: security@FreeBSD.ORG Subject: Re: kerberos su problems betw 2 machines Message-ID: <Pine.BSF.3.96.980626093724.26915F-100000@haldjas.folklore.ee> In-Reply-To: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Jun 1998, Ludwig Pummer wrote: > I've finally gotten Kerberos (as part of the des distribution) installed on > my 2.2.6-R machine (called fortress, with a DNS cname called kerberos) and > my 2.2.5-R machine (called inet). > my krb.conf: > CHIPWEB.ML.ORG > CHIPWEB.ML.ORG fortress.chipweb.ml.org admin server > CHIPWEB.ML.ORG kerberos.chipweb.ml.org > my krb.realms: > fortress.chipwb.ml.org CHIPWEB.ML.ORG > .chipweb.ml.org CHIPWEB.ML.ORG > > fortress is also running my own DNS server, which is why *.chipweb.ml.org > appears as 24.1.82.47 to the outside world, but internally I have 6-7 > machines in the domain chipweb.ml.org (using the 172.16.0.0/16 IP range). > > I set up kerberos on fortress according to the handbook, creating > passwd.fortress, rcmd.fortress, passwd.inet, rcmd.inet, fortress's srvtab, > and inet's srvtab. > I also created ludwigp and ludwigp.root (for testing the SU acl). > > On fortress, logging in as ludwigp gives me my ticket. I can kinit to > ludwigp.root and also su to root (i've set up the .klogin for root to be > "ludwigp.root@CHIPWEB.ML.ORG"). > > On inet, logging in as ludwigp gives me my ticket. I can kinit to > ludwigp.root and get my ticket, but trying to do su gives me "su: kerberos: > unable to verify rcmd ticket: Incorrect network address (krb_rd_req)". I have seen this aswell. It comes from the fact that you kerberos server is known by more than one name/ip-adress combination. A workaround is to list the kerberos server in krb.conf by ip adress instead of name. > > Another thing which bothered me: I downloaded the kerberized telnet from > ftp://ftp.pdc.kth.se/pub/krb/binaries/i386-unknown-winnt4.0/ and it telnets > into fortress with encryption, giving me my proper tickets (the telnet > program has its own ticket lister). Trying to do the same with inet doesn't > work; i get a normal telnet connection, without encryption or tickets. > You have to give the standard telnet an extra parameter to get it to use encryption. Tickets should be issued if you log in with you kerberos (as opposed to normal) password. > Both systems have the r* services disabled in inetd, but the Kerberos > authenticated serverices (r* -k) are enabled. The server is also running > the additional registerd and kpasswdd services. > Telnet doesn't use these, it uses telnetd > Any reason why 2.2.5-R's kerberos behaves differently and can't communicate > the same as 2.2.6-R's kerberos? > It can - see above. > Another question: If I want kerberos to be the only place the passwords are > stored (since my master.passwd isn't being changed when passwd is used to > change the kerberos password), how would I go about doing that? > 1) Gice all users kerberos passwords 2) Change the passwords in the master.passwd file to * Oh - and do leave a local password for root - it may save you a reboot to single mode in some cases. And enables you to boot to single-user if the console is marked "unsecure". Sander > --Ludwig Pummer > ludwigp@bigfoot.com > ICQ UIN: 692441 http://chipweb.home.ml.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980626093724.26915F-100000>