Originally posted by: SystemAdmin
Morning!
I cannot seem to find any information about the problem i am having, so i thought i better make my first post! I work in an environment that is AIX 5.3 and we are starting to implement AIX 6.1 on new servers that are coming in. We use Kerberos throughout the environment as a secure and easy way to ssh between the servers. The procedure to setup a new server with our KDC as become very routine, but for this new 6.1 box, it is not working correctly. I got it setup to grab the TGT from the KDC and I can use that to ssh into any other server in the environment without the root password, but no one can ssh into the box without having to provide the password. Steps below outline what i have done:
from cws (new AIX 6.1 install)
kdamin: addprinc -maxlife "30 days" -randkey -maxrenewlife "30 days" host/
hostname.example.sk.ca@EXAMPLE.SK.CA kadmin: ktadd -k /var/krb5/security/keytab/hostname.saskpower.sk.ca.keytab host/
hostname.example.sk.ca@EXAMPLE.SK.CA ln -s /var/krb5/security/keytab/hostname.example.sk.ca.keytab /etc/krb5/krb5.keytab
then add the .k5login file with the following:
root/
admin@EXAMPLE.SK.CA then run:
chauthent -k5 -std
and lsauthent to check its all good:
cws:/: > lsauthent
Kerberos 5
Standard Aix
The sshd_config file has been gone through and fixed to allow Kerberos (that was the first thing we ran into) but i still cant ssh to cws without it asking for a password. In the log file on the KDC I do get the following error:
Jun 15 14:30:02 srv-reg-aix-03 /usr/krb5/sbin/krb5kdc
27352(Error): AS_REQ (5 etypes {16 23 18 3 1}) 172.20.1.XX(88): CLIENT_NOT_FOUND:
root@EXAMPLE.SK.CA for krbtgt/
EXAMPLE.SK.CA@EXAMPLE.SK.CA, Client not found in Network Authentication Service database or client locked out
which is strange that its trying to do
root@EXAMPLE.SK.CA instead of root/
admin@EXAMPLE.SK.CA like our k5login file is set to, so that leads me to believe that the .k5login file inst honored for ssh, but that doesn't make sense as all our AIX 5.3 work this will utilizing the k5login file.
Has anyone else come across this issue? I'm smacking my head to much and it hurts :(
cws is at the following oslevel:
6100-02-02-0849
more info:
lslpp -l krb*
Fileset Level State Description
Path: /usr/lib/objrepos
krb5.client.rte 1.4.0.7 COMMITTED Network Authentication Service
Client
krb5.client.samples 1.4.0.7 COMMITTED Network Authentication Service
Samples
krb5.doc.en_US.html 1.4.0.7 COMMITTED Network Auth Service HTML
Documentation - U.S. English
krb5.doc.en_US.pdf 1.4.0.7 COMMITTED Network Auth Service PDF
Documentation - U.S. English
krb5.msg.en_US.client.rte 1.4.0.7 COMMITTED Network Auth Service Client
Msgs - U.S. English
krb5.server.rte 1.4.0.7 COMMITTED Network Authentication Service
Server
krb5.toolkit.adt 1.4.0.7 COMMITTED Network Authentication Service
App. Dev. Toolkit
Path: /etc/objrepos
krb5.client.rte 1.4.0.7 COMMITTED Network Authentication Service
Client
krb5.server.rte 1.4.0.7 COMMITTED Network Authentication Service
Server
cws:/: > lslpp -l
ssh Fileset Level State Description
Path: /usr/lib/objrepos
openssh.base.client 4.7.0.5301 COMMITTED Open Secure Shell Commands
openssh.base.server 4.7.0.5301 COMMITTED Open Secure Shell Server
openssh.license 4.7.0.5301 COMMITTED Open Secure Shell License
openssh.man.en_US 4.7.0.5301 COMMITTED Open Secure Shell
Documentation - U.S. English
openssh.msg.en_US 4.5.0.5301 COMMITTED Open Secure Shell Messages -
U.S. English
Path: /etc/objrepos
openssh.base.client 4.7.0.5301 COMMITTED Open Secure Shell Commands
openssh.base.server 4.7.0.5301 COMMITTED Open Secure Shell Server
Any help is appreciated
Cheers!
#AIX-Forum