kinit asking for password inspite of pki configuration - kerberos

Invoking kinit with the principal name to get kerberos ticket asks for password, even though I want it to authenticate with client certs which I have configured in /etc/krb5.conf. What is the way to force it skip password and only use the client cert in the AS REQ and do the pki authentication to get the kerberos ticket? I have the principal in the UPN of the kclientcert2.pem whose priv key is kclientkey2.pem and is issued by kclientca.pem. I have all of them in my /root folder. I then invoke kinit with principal name as parameter. Then I am prompted for password.
My /etc/krb5.conf realm config looks like below.
[realms]
myrealm = {
kdc = <ldap server IP>:88
kdc_tcp_ports = 88
pkinit_eku_checking = kpServerAuth
pkinit_anchors = FILE:/root/kclientca.pem
pkinit_identities = FILE:/root/kclientcert2.pem,/root/kclientkey2.pem
}
Now I installed krb5-pkinit package in one ubuntu client. After this it did not prompt for password here. But it gave the message "kinit: KDC name mismatch while getting initial credentials". the tcpdump shows a 2nd AS-REQ with AS-REP with code 11.
On an embedded client running linux, I couldn't install the package like in ubuntu, so I copied krb5 shared libs like preauth/pkinit.so and other s0 to /usr/lib path which is the standard path of the embedded client, but it still prompts for password. ###https://stackoverflow.com/users/696632/michael-o, we got disconnected on the other thread, can you please help to understand why the kdc name mismatch occurs on ubuntu and which library I am missing on the embedded client.

Related

Why the certificate is rejected despite it being installed?

When accessing a URL in my LAN using the web browser, I get a certificate error message:
In Firefox:
Warning: Potential Security Risk Ahead
In Internet Explorer:
This site is not secure
I download the certificate and import it using Windows Powershell as admin:
> certutil -addstore -enterprise -f "Root" .\certificate.pem
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Certificate" added to store.
CertUtil: -addstore command completed successfully.
The issue isn't solved.
If I ping to the IP address, I get a response. However, if I telnet to the IP:port using Putty, I get a pop-up window with the following error message:
Remote side unexpectedly closed network connection
How can I get my computer to accept the certificate?

Redhat Linux 7 kerberos client is returning localhost in kerberos trace when it should be the fully qualified domain name

We have a RHEL7 Mongo server configured for kerberos authentication for Mongo connections. The Mongo instance start successfully which tells us the server principal keytab is defined correctly in AD and the KRB5_KTNAME value is correct. A kinit is successful for the id that we want to authenticate with, telling us the user keytab is valid. However when attempting to authenticate "Kerberos server not found" is returned. Looking at the kerberos trace it's reporting "localhost" instead of the fqdn.
Mongo Support reviewed the DNS definitions and they are correct so referred us to Redhat support. The relevant message in the trace is:
Getting credentials userid#DOMAIN -> mongodb/localhost# using ccache FILE: filename (values changed to protect me)
Dpes anyone have an idea why localhost is in this message instead of the fqdn as it should be? Again DNS entries look to be correct. The "server not found" message is issued because localhost isn't defined to AD of course.
Help is appreciated.
Problem solved. When executing the shell on the same host as the Mongo server, you must include the --hostname parameter and not let it default. Kerberos uses the hostname value when sending requests to the KDC.

WebSphere (wsadmin) Connect to remote Deployment Manager Profile password-less

I'm able to connect to a remote WAS 8.5.5 deployment manager profile after supplying the user/pass from my local WAS 8.5 install. Given below is a typical wsadmin command...
./wsadmin.sh \
-lang jython \
-conntype SOAP -host myRemoteWASHost -port 12345 \
-user wasAdminUser -password wasPassword
How can I connect to remote password less; using the UserId and (xor) Password already populated in the remote WAS Profile soap.client.props file?
Put that userid and password in to soap.client.props in the profile from where you start the wsadmin tool. You may need to create new dummy local profile to not clash with your local profile, if the profile from where you run the wsadmin has different username/password.

Why password becomes incorrect after generating keytab in Kerberos?

In my Kerberos system:
run kinit test and input passwd, succeed.
generate keytab by kadmin.local -q "xst -k test.keytab test".
run kinit test and input passwd, failed:
kinit: Password incorrect while getting initial credentials
run kinit -k -t test.keytab test, succeed.
Is this normal ? If not, what are possible reasons?
Thanks.
I found that the attribute krbLastPwdChange(a timestamp value) in kerberos's database changed after I run:
kadmin.local -q "xst -k test.keytab test"
While add the option -norandkey will just create the keytab without changing password:
kadmin.local -q "xst -norandkey -k test.keytab test"
I can not find the detail document about kadmin xst.
This is by design. You cannot have both a password and a keytab in Kerberos. The reason is if both were enabled, if someone was able to pull a keytab on your behalf or was in possession of a copy of your keytab, then they could masquerade as you and you would never know it. They would be able to generate a TGT via kinit.
By pulling a keytab, the password is invalidated, so if you then tried to log in with a password, you would get an error. And even if you didn't know exactly what was going on, if you reset your password, it would invalidate the keytab.
For one simple reason:
kinit tells you that the client has not been found in the database, right? By default, when kinit is invoked with a keytab it uses the default server pricipal to obtain TGT. In your case host/<hostname>#REALM but your keytab contains a key for principal test#REALM.
I had this issue too until I have asked the MIT Kereros mailing list.

CentOS 6.4 / Samba4 standalone server using OpenLDAP backend

I have a OpenLDAP server (v2.4) running on CentOS 6.4. It works great! I'm using this OpenLdap server as authenticate backend for several service like Gitlab, Redmine, etc.
Now I want to setup another Samba standalone server and use the OpenLDAP server as auth backend for existed users in OpenLDAP. I tried with samba v3.6.9 but after configure auth backend as ldapsam in smb.conf I can't login using LDAP account.
When I run
smbclient -L localhost -U%
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6_4.1]
Sharename Type Comment
--------- ---- -------
allusers Disk All Users
IPC$ IPC IPC Service (Samba Server Version 3.6.9-151.el6_4.1)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6_4.1]
Server Comment
--------- -------
VAGRANT-CENTOS64 Samba Server Version 3.6.9-151.el6_4.1
Workgroup Master
--------- -------
WORKGROUP MY_MACHINE
But when I login with my test acc
smbclient -L localhost -U test
Enter test's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Here is my /etc/samba/smb.conf (print out from testparm)
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
passdb backend = ldapsam:ldap://192.168.1.201/
log file = /var/log/samba/log.%m
max log size = 50
ldap admin dn = cn=Manager,dc=mycompany,dc=com
ldap passwd sync = yes
ldap suffix = dc=mycompany,dc=com
ldap ssl = no
ldap debug level = 1
idmap config * : backend = tdb
cups options = raw
In the Samba server. I use sssd to authenticate with OpenLDAP. From this Samba machine I can query user by ldapsearch command. I can get the user info by id LDAP_USER and ssh to this machine by any LDAP_USER/password. Here is my /etc/sssd/sssd.conf
[domain/mycompany.com]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=mycompany,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.1.201:636
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = never
[sssd]
services = nss, pam
config_file_version = 2
domains = mycompany.com
On OpenLDAP server, I use LDAP Account Manager to manage user/group. I import samba schema and check everything ok in LAM. I also enable samba3 extension for some users in LDAP to test. I also open ports 137, 138, 139, 445 (tcp) in Samba server.
So what should I do next?
I just want to reuse the user from OpenLDAP server. I don't want to create any user from samba. Please give me suggestions about this case.
Thank you!
You need to make sure samba knows the password of the admin DN to bind to LDAP server. This is done with
smbpasswd -w <secret>
before starting Samba.
Now, if that is done, do you have NTLM passwords created for your users? Samba checks sambaNTPassword and sambaLMPassword attributes when performing authentication for the user. For changing these attributes at the time user changes own password through LDAP, you need to use smbk5pwd OpenLDAP overlay and set ldap passwd sync = only in smb.conf instead of ldap passwd sync = yes as you did.
I don't know if you solved the problem. In any case if you install a samba 4 standalone server using a ldap remote server you have to establish the same SID that domain server (it's not necessary to join it to the domain). Obviously, the command net setlocalid <sid domain> won't work on a local machine. You have to modify the value in the LDAP tree, searching the name of the netbios machine... I recommend you use a LDAP browser for this purpose...
Good Luck