Skip Menu |
 

From: "antonelladicristofaro@katamail.com" <antonelladicristofaro@katamail.com>
To: krb5-bugs@mit.edu
Subject: Help!
Date: Fri, 27 Feb 2004 14:35:08 +0000
Download (untitled) / with headers
text/plain 3.2KiB
HELLO!
CAN YOU HELP ME? I HAVE A "LITTLE" PROBLEM WITH KERBEROS V5!!
MY CONFIGURATION FILES ARE:

*****kdc.conf****

[kdcdefaults]
kdc_ports = 749, 88

[realms]
MYREALM.IT= {
dict_file = /usr/share/dict/words
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/kerberos/krb5kdc/.k5.MYREALM.IT
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

[logging]
kdc = FILE:/var/kerberos/krb5kdc/kdc.log
admin_server = FILE:/var/kerberos/krb5kdc/kadmin.log



*****krb5.conf****

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYREALM
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
ticket_lifetime = 36000
dns_lookup_realm = false
dns_lookup_kdc = false
noaddresses = false

[realms]
MYREALM= {
kdc = host.domain.myrealm.it:88
admin_server = host.domain.myrealm.it:749
default_domain = myrealm.it
}

[domain_realm]
.it = MYREALM.IT
it = MYREALM.IT
host.domain.myrealm.it = MYREALM.IT
host.domain.myrealm=MYREALM.IT
host.domain= MYREALM.IT
host= MYREALM.IT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[appdefaults]
kinit = {
forwardable = true
}
telnet = {
forward = true
encrypt = true
autologin = true
}

THE DEAMONS STARTING CORRECTLY.
THE LOG FILE (ON KDC) SHOWS THAT BOTH THE TICKET-GRANTING-TICKET BOTH THE HOST TICKET ARE GENERATED, infact:

****Krb5kdc.log****

setting up network...
listening on fd 7: A.B.C.D port 749
listening on fd 8: A.B.C.D port 88
set up 2 sockets
commencing operation

AS_REQ A.B.C.D(88): ISSUE: authtime 1077875078, anto78/admin@MYREALM.IT for krbtgt/MYREALM.IT @MYREALM.IT

TGS_REQ A.B.C.D(88): ISSUE: authtime 1077875078, anto78/admin@MYREALM.IT for host/host.domain.myrealm.it@MYREALM.IT


I HAVE AN ERROR MESSAGE ON THE CLIENT:
I HAVE GETTING A FORWARDABLE TICKET WITH

kinit -f

BUT WHEN I TRY TO TELNET WITH

telnet -a -x -f host.domain.myrealm.it

I READ THE FOLLOWING:

Trying A.B.C.D....
Connected to host.domain.myrealm.it (A.B.C.D).
Escape character is '^]'.

Waiting for encryption to be negotiated.

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

Authentication negotiation has failed, which is
required for encryption. Good Bye.


PLEASE, HELP ME!
I HAVE CONTROLLED KEY VERSION NUMBER WITH:

klist -ke

AND ANY PRINCIPAL HAVE A KEY NUMBER, BUT I HAVEN'T UNDERSTOOD IF IT IS A CASUAL NUMBER OR A SPECIFIC NUMBER, AND I DON'T KNOW HOW TO RESOLVE THE PROBLEM!

THANKS, Antonella.
From: "antonelladicristofaro@katamail.com" <antonelladicristofaro@katamail.com>
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #2298] Help!
Date: Fri, 27 Feb 2004 14:37:51 +0000
RT-Send-Cc:
Download (untitled) / with headers
text/plain 3.3KiB
HELLO!
CAN YOU HELP ME? I HAVE A "LITTLE" PROBLEM WITH KERBEROS V5!!
MY CONFIGURATION FILES ARE:

*****kdc.conf****

[kdcdefaults]
kdc_ports = 749, 88

[realms]
MYREALM.IT= {
dict_file = /usr/share/dict/words
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/kerberos/krb5kdc/.k5.MYREALM.IT
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

[logging]
kdc = FILE:/var/kerberos/krb5kdc/kdc.log
admin_server = FILE:/var/kerberos/krb5kdc/kadmin.log



*****krb5.conf****

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYREALM
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
ticket_lifetime = 36000
dns_lookup_realm = false
dns_lookup_kdc = false
noaddresses = false

[realms]
MYREALM= {
kdc = host.domain.myrealm.it:88
admin_server = host.domain.myrealm.it:749
default_domain = myrealm.it
}

[domain_realm]
.it = MYREALM.IT
it = MYREALM.IT
host.domain.myrealm.it = MYREALM.IT
        host.domain.myrealm=MYREALM.IT
        host.domain= MYREALM.IT
host= MYREALM.IT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[appdefaults]
kinit = {
forwardable = true
}
telnet = {
forward = true
encrypt = true
autologin = true
}

THE DEAMONS STARTING CORRECTLY.
THE LOG FILE (ON KDC) SHOWS THAT BOTH THE TICKET-GRANTING-TICKET BOTH THE HOST TICKET ARE GENERATED, infact:

****Krb5kdc.log****

setting up network...
listening on fd 7: A.B.C.D port 749
listening on fd 8: A.B.C.D port 88
set up 2 sockets
commencing operation

AS_REQ A.B.C.D(88): ISSUE: authtime 1077875078, anto78/admin@MYREALM.IT for krbtgt/MYREALM.IT @MYREALM.IT

TGS_REQ A.B.C.D(88): ISSUE: authtime 1077875078, anto78/admin@MYREALM.IT for host/host.domain.myrealm.it@MYREALM.IT


I HAVE AN ERROR MESSAGE ON THE CLIENT:
I HAVE GETTING A FORWARDABLE TICKET WITH

      kinit -f

BUT WHEN I TRY TO TELNET WITH

      telnet -a -x -f host.domain.myrealm.it

I READ THE FOLLOWING:

Trying A.B.C.D....
Connected to host.domain.myrealm.it (A.B.C.D).
Escape character is '^]'.

Waiting for encryption to be negotiated.

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

Authentication negotiation has failed, which is
required for encryption. Good Bye.


PLEASE, HELP ME!
I HAVE CONTROLLED KEY VERSION NUMBER WITH:

     klist -ke

AND ANY PRINCIPAL HAVE A KEY NUMBER, BUT I HAVEN'T UNDERSTOOD IF IT IS A CASUAL NUMBER OR A SPECIFIC NUMBER, AND I DON'T KNOW HOW TO RESOLVE THE PROBLEM!

THANKS, Antonella.
From: "antonelladicristofaro@katamail.com" <antonelladicristofaro@katamail.com>
To: krb5-bugs@mit.edu
Subject: [krbdev.mit.edu #2298]!!!
Date: Fri, 27 Feb 2004 15:42:55 +0000
RT-Send-Cc:
Download (untitled) / with headers
text/plain 3.2KiB
HELLO!
CAN YOU HELP ME? I HAVE A "LITTLE" PROBLEM WITH KERBEROS V5!!
MY CONFIGURATION FILES ARE:

*****kdc.conf****

[kdcdefaults]
kdc_ports = 749, 88

[realms]
MYREALM.IT= {
dict_file = /usr/share/dict/words
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/kerberos/krb5kdc/.k5.MYREALM.IT
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

[logging]
kdc = FILE:/var/kerberos/krb5kdc/kdc.log
admin_server = FILE:/var/kerberos/krb5kdc/kadmin.log



*****krb5.conf****

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYREALM
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
ticket_lifetime = 36000
dns_lookup_realm = false
dns_lookup_kdc = false
noaddresses = false

[realms]
MYREALM= {
kdc = host.domain.myrealm.it:88
admin_server = host.domain.myrealm.it:749
default_domain = myrealm.it
}

[domain_realm]
.it = MYREALM.IT
it = MYREALM.IT
host.domain.myrealm.it = MYREALM.IT
host.domain.myrealm=MYREALM.IT
host.domain= MYREALM.IT
host= MYREALM.IT

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[appdefaults]
kinit = {
forwardable = true
}
telnet = {
forward = true
encrypt = true
autologin = true
}

THE DEAMONS START CORRECTLY.
THE LOG FILE (ON KDC) SHOWS THAT BOTH THE TICKET-GRANTING-TICKET BOTH THE HOST TICKET ARE GENERATED, infact:

****Krb5kdc.log****

setting up network...
listening on fd 7: A.B.C.D port 749
listening on fd 8: A.B.C.D port 88
set up 2 sockets
commencing operation

AS_REQ A.B.C.D(88): ISSUE: authtime 1077875078, anto78/admin@MYREALM.IT for krbtgt/MYREALM.IT @MYREALM.IT

TGS_REQ A.B.C.D(88): ISSUE: authtime 1077875078, anto78/admin@MYREALM.IT for host/host.domain.myrealm.it@MYREALM.IT


I HAVE AN ERROR MESSAGE ON THE CLIENT:
I HAVE GETTING A FORWARDABLE TICKET WITH

kinit -f

BUT WHEN I TRY TO TELNET WITH

telnet -a -x -f host.domain.myrealm.it

I READ THE FOLLOWING:

Trying A.B.C.D....
Connected to host.domain.myrealm.it (A.B.C.D).
Escape character is '^]'.

Waiting for encryption to be negotiated.

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

[Kerberos v5 refuses authentication because telnetd: krb5_rd_req failed: key version number for principal in key table is incorrect]

Authentication negotiation has failed, which is
required for encryption. Good Bye.


PLEASE, HELP ME!
I HAVE CONTROLLED KEY VERSION NUMBER WITH:

klist -ke

AND ANY PRINCIPAL HAVE A KEY NUMBER, BUT I HAVEN'T UNDERSTOOD IF IT IS A CASUAL NUMBER OR A SPECIFIC NUMBER, AND I DON'T KNOW HOW TO RESOLVE THE PROBLEM!

THANKS, Antonella.
Download (untitled) / with headers
text/plain 1.2KiB
Hi. You don't need to send the same message three times; it's not going
to help us get to your report any quicker.

Show quoted text
> [Kerberos v5 refuses authentication because telnetd: krb5_rd_req
> failed: key version number for principal in key table is incorrect]


Show quoted text
> I HAVE CONTROLLED KEY VERSION NUMBER WITH:
>
> klist -ke
>
> AND ANY PRINCIPAL HAVE A KEY NUMBER, BUT I HAVEN'T UNDERSTOOD IF IT IS
> A CASUAL NUMBER OR A SPECIFIC NUMBER, AND I DON'T KNOW HOW TO RESOLVE
> THE PROBLEM!

What version number is indicated by the klist command above? Try also
running "kvno host/your-servers-host-name.domain.it" on the client, and
see if it reports the same key version number. From the error message
you gave, I suspect the number on the client side will be larger. (Or
it could be smaller, if you set up Kerberos, extracted a host key a
couple of times, deleted your database, and started over but kept the
old host key file.) If so, extract another version of the host key with
kadmin (note that this updates the key version number and changes the
key), and install the new key file on the server. You'll need to run
kinit again on the client (it won't know that the credentials it's got
for communicating with the server using the old host key are no longer
valid), but otherwise, that would probably fix your problem.
From: "antonelladicristofaro@katamail.com" <antonelladicristofaro@katamail.com>
To: rt-comment@krbdev.mit.edu
Subject: [krbdev.mit.edu #2298]
Date: Wed, 09 Jun 2004 14:30:39 +0000
RT-Send-Cc:
Hello!
I want to kerberized a proxy SIP but I don't know the way to do it!
Can you proposed any documents or articles that I can consult?
Thanks, Antonella.

PS. Excuseme for bad language!!!!

Show quoted text
________________________________________________________________________
Cerchi un laboratorio fotografico aperto 24 ore su 24?
Stampa le tue foto digitali su Kataweb e le ricevi a domicilio in 48 ore.
http://www.kataweb.it/foto
closing support request