Configuring Kerberos as a replacement authentication in NIS: Client not found in Kerberos database

Ask Fedora
1

I followed the Oracle tutorial for configuring NIS and using Kerberos as the authentication mechanism. I believe I got the Realm and KDC configured and running correctly on a server that is running NIS, so ypserv and ypbind are running. On a Kerberos client I ran the following command successfully (note authconfig is deprecated in favor of authselect but still works):

authconfig --enablenis --enablekrb5 --krb5realm=SUBDOMAIN.OURDOMAIN.EDU --krb5adminserver=sub.sub.ourdomain.edu --krb5kdc=sub.sub.ourdomain.edu --update

So kinit admin@SUBDOMAIN.OURDOMAIN.EDU works, when going from a Kerberos client to the KDC and Admin server which are the same. Here’s s a snip from /var/log/krb5kdc.log:
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) x.x.x.x: ISSUE: authtime 1603133224, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, admin@ourdomain.edu for krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU

klist
Ticket cache: KEYRING:persistent:6105:6105
Default principal: admin@SUBDOMAIN.OURDOMAIN.EDU

Valid starting     Expires            Service principal
10/19/20 14:57:43  10/20/20 14:57:39  krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU
        renew until 10/19/20 14:57:43

But using ssh -K -vv returns “Unspecified GSS failure” but I at least log in.

ssh -K -vv myuser@sub.sub.ourdomain.edu
OpenSSH_8.3p1, OpenSSL 1.1.1g FIPS  21 Apr 2020
debug1: Reading configuration data /path/to/.ssh/config
debug1: /path/to/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/path/to/.ssh/sockets/myuser@sub.sub.ourdomain.edu-22" does not exist
debug2: resolving "sub.sub.ourdomain.edu" port 22
debug2: ssh_connect_direct
debug1: Connecting to sub.sub.ourdomain.edu [x.x.x.x] port 22.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sub.sub.ourdomain.edu:22 as 'myuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XUXhRKNYwxAGhwVIMa3fuo8uNMay6q4/qVeSWlQAOpM
debug1: Host 'sub.sub.ourdomain.edu' is known and matches the ECDSA host key.
debug1: Found key in /path/to/.ssh/known_hosts:33
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:6105)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /path/to/.ssh/id_rsa RSA SHA256:++6z7fhR603SUI0fWp7k7noRz1/41+9/hM/rWjNQlXk
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /path/to/.ssh/id_dsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa
debug1: Trying private key: /path/to/.ssh/id_ecdsa_sk
debug1: Trying private key: /path/to/.ssh/id_ed25519
debug1: Trying private key: /path/to/.ssh/id_ed25519_sk
debug1: Trying private key: /path/to/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
myuser@sub.sub.ourdomain.edu's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to sub.sub.ourdomain.edu ([150.108.64.156]:22).
debug1: setting up multiplex master socket
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [/path/to/.ssh/sockets/myuser@sub.sub.ourdomain.edu-22]
debug2: fd 3 setting TCP_NODELAY
debug1: control_persist_detach: backgrounding master process
debug2: control_persist_detach: background process is 126689
debug2: fd 4 setting O_NONBLOCK
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug2: set_control_persist_exit_time: schedule exit in 600 seconds
debug1: multiplexing control connection
debug2: fd 5 setting O_NONBLOCK
debug1: channel 1: new [mux-control]
debug2: set_control_persist_exit_time: cancel scheduled exit
debug2: mux_master_process_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug2: mux_master_process_alive_check: channel 1: alive check
debug2: mux_master_process_new_session: channel 1: request tty 1, X 1, agent 0, subsys 0, term "xterm", cmd "", env 2
debug1: channel 2: new [client-session]
debug2: mux_master_process_new_session: channel_new: 2 linked to control channel 1
debug2: channel 2: send open
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug2: channel_input_open_confirmation: channel 2: callback start
debug2: client_session2_setup: id 2
debug2: channel 2: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_ALL = C
debug2: channel 2: request env confirm 0
debug2: channel 2: request shell confirm 1
debug2: channel_input_open_confirmation: channel 2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
debug1: mux_client_request_session: master session id: 2
debug2: channel_input_status_confirm: type 99 id 2
debug2: PTY allocation request accepted on channel 2
debug2: channel 2: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 2
debug2: shell request accepted on channel 2

Running kinit results in:
kinit: Client 'myuser@SUBDOMAIN.OURDOMAIN.EDU' not found in Kerberos database while getting initial credentials and /var/log/krb5kdc.log has:
CLIENT_NOT_FOUND: myuser@SUBDOMAIN.OURDOMAIN.EDU for krbtgt/SUBDOMAIN.OURDOMAIN.EDU@SUBDOMAIN.OURDOMAIN.EDU, Client not found in Kerberos database

I also looked at this Toolbox tutorial but I didn’t find anything there helped.

Also how can users who don’t have a Kerberos client, e.g,. their personal laptop login using Kerberos authentication? Will ssh -K suffice?

1 Like
2

Check on the server side:

sudo sshd -T
grep -v -r -e ^# -e ^$ /etc/nsswitch.conf /etc/krb5.conf*
3

Hm kerberosauthentication no what else should I check?

port 22
addressfamily any
listenaddress [::]:22
listenaddress 0.0.0.0:22
usepam yes
logingracetime 120
x11displayoffset 10
x11maxdisplays 1000
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
kerberosuniqueccache no
kerberosusekuserok yes
gssapienablek5users no
gssapiauthentication yes
gssapicleanupcredentials no
gssapikeyexchange no
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd no
printlastlog yes
x11forwarding yes
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
compression yes
gatewayports no
usedns no
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
streamlocalbindunlink no
fingerprinthash SHA256
exposeauthinfo no
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
banner none
forcecommand none
chrootdirectory none
trustedusercakeys none
revokedkeys none
securitykeyprovider internal
authorizedprincipalsfile none
versionaddendum none
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedprincipalscommand none
authorizedprincipalscommanduser none
hostkeyagent none
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256
hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
loglevel INFO
syslogfacility AUTHPRIV
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
acceptenv LANG
acceptenv LC_CTYPE
acceptenv LC_NUMERIC
acceptenv LC_TIME
acceptenv LC_COLLATE
acceptenv LC_MONETARY
acceptenv LC_MESSAGES
acceptenv LC_PAPER
acceptenv LC_NAME
acceptenv LC_ADDRESS
acceptenv LC_TELEPHONE
acceptenv LC_MEASUREMENT
acceptenv LC_IDENTIFICATION
acceptenv LC_ALL
acceptenv LANGUAGE
acceptenv XMODIFIERS
authenticationmethods any
subsystem sftp /usr/libexec/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos af21 cs1
rekeylimit 0 0
permitopen any
permitlisten any
permituserenvironment no
pubkeyauthoptions none
aliases:    files nis
automount:  files nis
ethers:     files nis
group:      files nis systemd
hosts:      files nis dns myhostname
initgroups: files nis
netgroup:   files nis
networks:   files nis
passwd:     files nis systemd
protocols:  files nis
publickey:  files nis
rpc:        files nis
services:   files nis
shadow:     files nis
bootparams: nisplus [NOTFOUND=return] files
netmasks:   files
1 Like
4

So I’m reading that:

# These are for protocol version 1
KerberosAuthentication yes
KerberosTgtPassing yes
# These are for version 2
GSSAPIAuthentication yes
GSSAPIKeyExchange yes

Most tutorials such as this one from Oracle:

To use ssh and related OpenSSH commands to connect from Kerberos client system to another Kerberos client system:

  1. On the remote Kerberos client system, verify that GSSAPIAuthentication is enabled in /etc/ssh/sshd_config :

GSSAPIAuthentication yes

  1. On the local Kerberos client system, enable GSSAPIAuthentication and GSSAPIDelegateCredentials in the user’s .ssh/config file:

GSSAPIAuthentication yes GSSAPIDelegateCredentials yes

But I also read this:

“Once you have a working set of Kerberos servers, you’ll probably want to be able to log into your system using your Kerberos password. Since we don’t have LDAP working yet, you should add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to K, the community standard to indicate that the password comes from Kerberos.”

So does the /etc/shadow file need to be Kerberized?

1 Like
5

So I got a reply from the Kerberos mailing list and I was hoping someone here could guide me in getting the correct auth stack in the PAM config files

Using the .deb file I extracted pam_krb5_migrate_mit.so and got the following errors:

/usr/lib64/security/pam_krb5_migrate.so.1): libkadm5clnt_mit.so.11:
*cannot open shared object file: No such file or directory

The reply I got:

In Fedora, libkad5clnt_mit.so is provided by libkadm5. However, there has been a soname bump (to 12).
Please be aware that neither I (Fedora maintainer) do not support external programs using the libkadm5 interfaces, and upstream krb5 does not provide stability guarantees for it.

Based on the Oracle guide for Solaris, what should I put where they have pam_krb5_migrate.so.1 ?

1 Like
6

That tells me that pam_krb5_migrate.so.1 cannot find libkadm5clnt_mit.so.11, and they reply you got said there was a version bump to 12. The implication is that libkadm5clnt_mit.so.11 was removed and libkadm5clnt_mit.so.12 replaced it while pam is still trying to find the 11 file.

The easy way that usually works for me with version bumps if not done automatically during the update is to create a symlink from the expected name (libkadm5clnt_mit.so.11) to the current name (libkadm5clnt_mit.so.12). Thus anything asking for that library gets access regardless of which filename they use. This is standard usage with many packages so access does not get hosed up with library updates. For example:

# ls -l /usr/lib64/libmodulemd*
lrwxrwxrwx. 1 root root     21 Jan 29  2020 /usr/lib64/libmodulemd.so.1 -> libmodulemd.so.1.8.16
-rwxr-xr-x. 1 root root 485952 Jan 29  2020 /usr/lib64/libmodulemd.so.1.8.16
lrwxrwxrwx. 1 root root     20 Apr  8  2020 /usr/lib64/libmodulemd.so.2 -> libmodulemd.so.2.9.3
-rwxr-xr-x. 1 root root 498904 Apr  8  2020 /usr/lib64/libmodulemd.so.2.9.3

There are hundreds of similar links on my system in the libraries.

1 Like
7

OK so I did:
ln -s /usr/lib64/libkadm5clnt_mit.so.12.0 /usr/lib64/libkadm5clnt_mit.so.11

Now getting:

Oct 23 17:19:11 ourserver sshd[73928]: PAM unable to resolve symbol: pam_sm_authenticate
Oct 23 17:19:11 ourserver sshd[73928]: PAM unable to resolve symbol: pam_sm_setcred

So I’m not sure what to put in /etc/authselect/password-auth and /etc/authselect/system-auth I have:
auth optional pam_krb5_migrate.so.1 expire_pw

8

You posted what might be the answer in your comment about the /etc/shadow file…
Please be sure you do a backup so you don’t break you own user login while testing.

I can’t help you more than that.

1 Like
9

Well I put the “K” in the user’s password field in /etc/shadow, still getting:

debug1: PAM: initializing for "fred"
PAM unable to resolve symbol: pam_sm_authenticate
PAM unable to resolve symbol: pam_sm_setcred