Fabrice Bacchella | 1 Sep 11:49 2011
Picon

capath and transitivity

I'm trying to set up a transitive relationship between three kerberos realms, two of them being some AD
domain and one a pure MIT server one.

I'm doing my test on a Scientific Linux 6.1, up to date.

In the krb5.conf, I have added :

[domain_realm]
	d1 = R1
	d2 = R2
	d3 = R3

[realms]
	R1 = {
		kdc = kdc.d1
	}
	R2 = {
		kdc = kdc.d2
	}
	R3 = {
		kdc = kdc.d3
	}
[capaths]
	R1 = {
		R3 = R2
		R2 = R2
		R1 = .
	}
	R2 = {
		R3 = R3
(Continue reading)

Ranjith Murugan | 1 Sep 13:33 2011

Kerberos Authentication with Windows AD

Hi All,

I am a Newbie in Kerberos authentication, Currently trying to setup an
Kerberos server to Authenticate against a Windows AD.

Environment: 
Ubuntu 10.10 (Kerberos Server)
Windows 2003 R2 (Active Directory)

For Explanation: Kerberos Server(s1.int), Windows Ad(s2.int)

The Server seems to be working individually, I have created a trust
relationship between S1.int and S2.int. Also create a user in S2.int and
Mapped the user to a user on S1.int. Now When I trying login to a machine
with the Kerberos User, I get an error "NEEDED_PREAUTH". Could someone let
me know the reason for this error? Note: Checked Click sync.  DNS server
working fine.

Error Msg from the Log file:
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): AS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) <IP address>: NEEDED_PREAUTH: admin <at> S1.INT for
krbtgt/S1.INT <at> S2.INT, Additional pre-authentication required
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): AS_REQ (2 etypes {3 1})
10.20.221.180: ISSUE: authtime 1314022172, etypes {rep=3 tkt=1 ses=1},
admin <at> S1.INT for krbtgt/S1.INT <at> S1.INT
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): TGS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) <IP address>: ISSUE: authtime 1314022172, etypes {rep=1
tkt=1 ses=1}, admin <at> S1.INT for krbtgt/S2.INT <at> S1.INT
Aug 22 15:09:32 lhr-qa12 krb5kdc[3482](info): TGS_REQ (7 etypes {23 -133
-128 3 1 24 -135}) <IP address>: ISSUE: authtime 1314022172, etypes {rep=1
(Continue reading)

Greg Hudson | 1 Sep 18:19 2011
Picon

Re: capath and transitivity

On Thu, 2011-09-01 at 05:49 -0400, Fabrice Bacchella wrote:
> [capaths]
> 	R1 = {
> 		R3 = R2
> 		R2 = R2
> 		R1 = .
> 	}
> 	R2 = {
> 		R3 = R3
> 		R2 = .
> 		R1 = R1
> 	}
> 	R3 = {
> 		R1 = R2
> 		R2 = R2
> 		R3 = .
> 	}

I believe you can simplify that to:

[capaths]
  R1 = {
    R3 = R2
    R2 = .
  }
  R2 = {
    R1 = .
    R3 = .
  }
  R3 = {
(Continue reading)

Fabrice Bacchella | 1 Sep 18:33 2011
Picon

Re: capath and transitivity


Le 1 sept. 2011 à 18:19, Greg Hudson a écrit :
> I believe you can simplify that to:
> 

I know, I tried that to be sure to not miss something.

>> What's the point of a TGS for krbtgt/R3 <at> R1 on kdc.d2 ? I expected a
>> TGS_REQ for krbtgt/R3 <at> R2.
> 
> That's a previously unknown bug introduced in krb5 1.9.  I think it's
> gone unnoticed until now because an MIT KDC at R2 will paper over the
> problem by returning krbtgt/R3 <at> R2 in response to the krbtgt/R3 <at> R1
> request.
> 

Some unit tests should be added ?

> I can provide a patch (it's a one-liner), but since you're using an OS
> distribution of krb5 I imagine it wouldn't be convenient to use.
> Unfortunately, I can't think of a good workaround.  The fix should be in
> 1.9.2.
> 
> 

Thanks, that's a great new. At least I know now that I'm not totally stupid. I will keep an eye on upstream's
updates from now.

________________________________________________
Kerberos mailing list           Kerberos <at> mit.edu
(Continue reading)

Andreas Ntaflos | 2 Sep 00:26 2011

SSH, REQUIRES_PWCHANGE and policies problem

Hi list,

I am currently experimenting a bit with Kerberos policies and have run
into a a small usability problem regarding SSH, pam-krb5 and
REQUIRES_PWCHANGE. Using Kerberos 1.8.1, OpenSSH "5.3p1 Debian-3ubuntu6"
on Ubuntu 10.04.3.

Without a policy applied, a user with REQUIRES_PWCHANGE gets prompted by
SSH upon successful login that his password needs to be changed. This
works fine.

However, when a policy is set, and the user's new password does not
conform to that policy, SSH does not inform the user of the problem, it
simply re-prompts for the original password and then asks for a new
password again. Naturally, a user will find this confusing.

The Kerberos logs show the failed password change correctly (i.e.
"password too short"), but SSH doesn't seem to understand the problem.
In the server's SSH logs only "authentication failed" messages are
shown, here an example from our test installation:

pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0
euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=xx.yy.zz.aa  user=testuser
error: PAM: Authentication failure for testuser from xx.yy.zz.aa

For reference, the relevant PAM settings on the SSH server:

account sufficient      pam_krb5.so
(Continue reading)

Russ Allbery | 2 Sep 00:42 2011
Picon

Re: SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos <daff <at> pseudoterminal.org> writes:

> However, when a policy is set, and the user's new password does not
> conform to that policy, SSH does not inform the user of the problem, it
> simply re-prompts for the original password and then asks for a new
> password again. Naturally, a user will find this confusing.

pam-krb5 on Debian and Ubuntu, which presumably is what you're using,
tries to tell the user about a password change failure by sending a
message to the PAM conversation of type PAM_ERROR_MSG.  It sounds like for
some reason ssh isn't accepting and displaying that message?

Could you try adding "debug" to the PAM options for the auth stack and see
if the output in your local syslog about what pam-krb5 saw as the password
change error is correct?  You should see something prefixed with
krb5_change_password.  (I wonder if that should be logged at a level
higher than debug.)

Ah, hm.  The other possibility is that the Kerberos library may be
handling the password change internally, in which case I'm not sure what
its prompting behavior is on password change failure.  Actually, that's
the most likely, since usually the Kerberos library, since it's given a
prompter function, will just do everything internally.  Maybe it doesn't
print out the reason for a failed password change?

--

-- 
Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos <at> mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
(Continue reading)

Russ Allbery | 2 Sep 00:49 2011
Picon

Re: pam-krb5 error when called from Samba

Andreas Ntaflos <daff <at> pseudoterminal.org> writes:

> Russ, thank you for your reply!

Sorry about not following up again; it looks like the mailing list ate the
list copy of the message, so it got misfiled.

> I have only recently started trying to understand how Samba setups
> (standalone or PDC) would work together with Kerberos (and LDAP) so I am
> not even sure if calling "smbpasswd -r" from a remote machine is the
> right approach. Smbpasswd prompts for the old and new passwords so it
> seems that Samba should take care of the conversation details and
> passing the authtok.

It's tricky to do that.  PAM doesn't provide any great way to do that,
other than setting the password as auth data.  It really likes you to have
a conversation function.  But it may very well do it properly; I've never
used it myself.

Usually, I would expect the application-specific password programs like
kpasswd or smbpasswd to only change the password in that specific system,
and not try to use PAM or do anything generic.

> But your last point (passwd that changes krb5 and smb passwords) sounds
> interesting. Could you perhaps hint at a PAM configuration that would
> accomplish this? I have spent all of last night reading about and
> configuring PAM and the words "requisite", "required", "optional", etc.
> are starting to blend together.

Well, the typical pam-krb5 configuration for password change is:
(Continue reading)

Russ Allbery | 2 Sep 01:11 2011
Picon

Re: SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos <daff <at> pseudoterminal.org> writes:

> It seems indeed that SSH gets informed that the password change failed,
> but doesn't know much else. I don't see a message prefixed with
> "krb5_change_password", I'm afraid.

Okay, this is indeed all being handled internally by the Kerberos library.
Maybe one of the MIT Kerberos folks can comment about how errors are
reported through the Kerberos prompter facility.  (My PAM module
unfortunately doesn't log the prompts that it passes along from Kerberos;
I should probably look at doing that.)

> After adding "debug" to the pam-krb5 options the server's SSH logs show
> this when the user logs in and changes the password:

> pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
> pam_krb5(sshd:auth): (user testuser) attempting authentication as
> testuser <at> EXAMPLE.COM
> pam_krb5(sshd:auth): (user testuser) krb5_get_init_creds_password:
> Password change failed
> pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0
> euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa

The problem from SSH's perspective is that since it's doing an
authentication, not a password change, it doesn't know that the password
change failed.  All that PAM can tell it is that the authentication
failed, not why (in this case a forced and failed password change).  So it
starts the authentication over again, which just presents a new password
change prompt again.

(Continue reading)

Andreas Ntaflos | 2 Sep 01:03 2011

Re: SSH, REQUIRES_PWCHANGE and policies problem

On 2011-09-02 00:42, Russ Allbery wrote:
> Andreas Ntaflos <daff <at> pseudoterminal.org> writes:
> 
>> However, when a policy is set, and the user's new password does not
>> conform to that policy, SSH does not inform the user of the problem, it
>> simply re-prompts for the original password and then asks for a new
>> password again. Naturally, a user will find this confusing.
> 
> pam-krb5 on Debian and Ubuntu, which presumably is what you're using,
> tries to tell the user about a password change failure by sending a
> message to the PAM conversation of type PAM_ERROR_MSG.  It sounds like for
> some reason ssh isn't accepting and displaying that message?
> 
> Could you try adding "debug" to the PAM options for the auth stack and see
> if the output in your local syslog about what pam-krb5 saw as the password
> change error is correct?  You should see something prefixed with
> krb5_change_password.  (I wonder if that should be logged at a level
> higher than debug.)

Russ, thanks for your prompt response, again!

It seems indeed that SSH gets informed that the password change failed,
but doesn't know much else. I don't see a message prefixed with
"krb5_change_password", I'm afraid.

After adding "debug" to the pam-krb5 options the server's SSH logs show
this when the user logs in and changes the password:

pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
pam_krb5(sshd:auth): (user testuser) attempting authentication as
(Continue reading)

Andreas Ntaflos | 2 Sep 01:24 2011

Re: pam-krb5 error when called from Samba

On 2011-09-02 00:49, Russ Allbery wrote:
> Andreas Ntaflos <daff <at> pseudoterminal.org> writes:
> 
>> Russ, thank you for your reply!
> 
> Sorry about not following up again; it looks like the mailing list ate the
> list copy of the message, so it got misfiled.

No problem, thanks for following up!

>> I have only recently started trying to understand how Samba setups
>> (standalone or PDC) would work together with Kerberos (and LDAP) so I am
>> not even sure if calling "smbpasswd -r" from a remote machine is the
>> right approach. Smbpasswd prompts for the old and new passwords so it
>> seems that Samba should take care of the conversation details and
>> passing the authtok.
> 
> It's tricky to do that.  PAM doesn't provide any great way to do that,
> other than setting the password as auth data.  It really likes you to have
> a conversation function.  But it may very well do it properly; I've never
> used it myself.

Well, Samba does have a conversation defined (mimicking the regular UNIX
passwd change conversion, I think) but it gets ignored when using PAM
password changes. So I don't really know what Samba does internally.

I should probably head over to the Samba mailing lists for this but if I
remember correctly the SNR there is usually quite low, that's why I
tried the Kerberos list first.

(Continue reading)


Gmane