i have installed a kerberos server.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
SNSPRJ.COM = {
kdc = kerberos.snsprj.com
admin_server = kerberos.snsprj.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.snsprj.com = SNSPRJ.COM
snsprj.com = SNSPRJ.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SNSPRJ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
~
In the kerberos client ,i use kinit xiaoxiao/admin#SNSPRJ.COM and it's see ok
[root#bogon ~]# kinit xiaoxiao/admin#SNSPRJ.COM
Password for xiaoxiao/admin#SNSPRJ.COM:
[root#bogon ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: xiaoxiao/admin#SNSPRJ.COM
Valid starting Expires Service principal
08/24/2017 13:51:18 08/25/2017 13:51:17 krbtgt/SNSPRJ.COM#SNSPRJ.COM
[root#bogon ~]#
but when i use JAAS to auth kerberos server some error message occur :
java.net.SocketTimeoutException: Receive timed out
i have tey telnet 192.168.1.196 88 it's ok.
bogon:jaas0822 skh$ telnet 192.168.1.196 88
Trying 192.168.1.196...
Connected to bogon.
Escape character is '^]'.
JAAS Authentication:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
my code:
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
/**
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
*
* Created by skh on 2017/8/22.
*/
public class JaasAcn {
public static void main(String[] args) {
String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/";
System.setProperty("java.security.auth.login.config", path + "jaas.conf");
// System.setProperty("java.security.krb5.conf", path + "krb5.conf");
System.setProperty("java.security.krb5.realm", "SNSPRJ.COM");
System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com");
System.setProperty("java.security.krb5.debug", "true");
// Obtain a LoginContext, needed for authentication. Tell it
// to use the LoginModule implementation specified by the
// entry named "JaasSample" in the JAAS login configuration
// file and to also use the specified CallbackHandler.
LoginContext lc = null;
try {
lc = new LoginContext("JaasSample", new TextCallbackHandler());
// attempt authentication
try {
lc.login();
} catch (LoginException le) {
le.printStackTrace();
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
System.exit(-1);
}
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. " + le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. " + se.getMessage());
System.exit(-1);
}
System.out.println("Authentication succeeded!");
}
}
is something worry? anyone can help me ,think you very much!
Solution :use TCP
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
# insert by xiaohb 20170824 start
udp_preference_limit = 1
# insert by xiaohb 20170824 end
Related
I have installed MITKDC. I am enabling Kerberos using Existing MIT KDC From Ambari. While creating principals I am getting below error.
Failed to create principal, trinitylocal-071819#HUB.LOCAL - Failed to create a service principal for trinitylocal-071819#HUB.LOCAL
STDOUT: Authenticating as principal admin/admin#HUB.LOCAL with existing credentials.
STDERR: WARNING: no policy specified for trinitylocal-071819#HUB.LOCAL; defaulting to no policy
add_principal: Insufficient access to lock the database while creating "trinitylocal-071819#HUB.LOCAL".Administration credentials NOT DESTROYED.
I am able to create principals using kadmin.local.below commands also working. I am able to login to Kinit admin/admin also.
Klist command I have tried and I am able to log in.
Below are my krb5.conf and kdc.conf.
Below is my krb5.conf
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = HUB.LOCAL
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
HUB.LOCAL = {
admin_server = HOSTNAME
kdc = HOSTNAME
}
Below is my kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Solved it is Installation Issue. I didn't give proper REALM
I am trying to use SASL between my kafka broker and zookeeper. When I start the kafka server
KAFKA_OPTS="-Djava.security.auth.login.config=/home/kafka/kafka/config/kafka_server_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf" \
./kafka-server-start.sh ../config/server.properties
I get the following error:
INFO TGT refresh thread started. (org.apache.zookeeper.Login)
DEBUG Client principal is "kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM". (org.apache.zookeeper.Login)
DEBUG Server principal is "krbtgt/EIGENROUTE.COM#EIGENROUTE.COM". (org.apache.zookeeper.Login)
INFO TGT valid starting at: Sat Dec 16 00:32:52 EST 2017 (org.apache.zookeeper.Login)
INFO TGT expires: Sat Dec 16 10:32:52 EST 2017 (org.apache.zookeeper.Login)
INFO TGT refresh sleeping until: Sat Dec 16 08:55:41 EST 2017 (org.apache.zookeeper.Login)
INFO Opening socket connection to server devel-2.sjml.com/173.243.38.81:2181. Will attempt to SASL-authenticate using Login Context section 'Client' (org.apache.zookeeper.ClientCnxn)
DEBUG Closing ZkClient... (org.I0Itec.zkclient.ZkClient)
INFO Terminate ZkClient event thread. (org.I0Itec.zkclient.ZkEventThread)
DEBUG Closing ZooKeeper connected to zookeeper.eigenroute.com:2181 (org.I0Itec.zkclient.ZkConnection)
DEBUG Closing session: 0x0 (org.apache.zookeeper.ZooKeeper)
DEBUG Closing client for session: 0x0 (org.apache.zookeeper.ClientCnxn)
WARN Client session timed out, have not heard from server in 6004ms for sessionid 0x0 (org.apache.zookeeper.ClientCnxn)
DEBUG An exception was thrown while closing send thread for session 0x0 : Client session timed out, have not heard from server in 6004ms for sessionid 0x0 (org.apache.zookeeper.ClientCnxn)
DEBUG Ignoring exception during shutdown input (org.apache.zookeeper.ClientCnxnSocketNIO)
java.net.SocketException: Socket is not connected
My questions are: what is going on? And how to do I fix this?
Below are my configuration files. The first is server.properties:
# server.properties
broker.id=0
delete.topic.enable=true
listeners=SASL_PLAINTEXT://kafka.eigenroute.com:9092
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafkabroker1
inter.broker.listener.name=SASL_PLAINTEXT
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:kafkabroker1
...
zookeeper.connect=zookeeper.eigenroute.com:2181
zookeeper.connection.timeout.ms=6000
Here is kafka_server_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/home/kafka/keytabs/kafka_broker1.keytab"
principal="kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/home/kafka/keytabs/kafka_broker1.keytab"
principal="kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM";
};
This is the zookeeper file in /etc/init.d:
#!/bin/bash
export ZOOCFGDIR="/etc/zookeeper/conf/"
export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper.jaas -Djava.security.krb5.conf=/etc/krb5.conf"
echo "$#"
/usr/share/java/zookeeper-3.4.10/bin/zkServer.sh $# /etc/zookeeper/conf/zoo.cfg
Here is my zookeeper configuration file zoo.cfg:
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
I have enabled useTicketCache=true in the zookeeper.jaas file (does it belong there?):
Server {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
refreshKrb5Config=true
useKeyTab=true
keyTab="/home/kafka/keytabs/zookeeper.keytab"
storeKey=true
principal="zookeeper/zookeeper.eigenroute.com#EIGENROUTE.COM";
};
Finally, the keytab files are all readable:
$ ll /home/kafka/keytabs/
total 24
drwxr-xr-x 2 sjamal sjamal 4096 Dec 12 11:32 .
drwxr-xr-x 10 kafka kafka 4096 Dec 12 11:57 ..
-rw-r--r-- 1 root root 366 Dec 12 11:24 kafka_broker1.keytab
-rw-r--r-- 1 root root 426 Dec 12 11:31 testkafkaconsumer1.keytab
-rw-r--r-- 1 root root 426 Dec 12 11:31 testkafkaproducer1.keytab
-rw-r--r-- 1 root root 370 Dec 12 11:32 zookeeper.keytab
I have consulted the following resources:
apache-kafka-security-authorization-authentication-encryption.
Kafka SASL zookeeper authentication (this says to add the zookeeper.set.acl=true to server.properties, but this has no effect on the issue I am experiencing)
https://kafka.apache.org/documentation/#configuration (the official documentation, which could use improvement in some areas)
https://coheigea.blogspot.ca/2017/05/securing-apache-kafka-with-kerberos.html (a set of instructions that I initially started following)
Can someone suggest what the problem might be, and how to fix this? Thanks!
UPDATE: I ran netstat -tulnp | grep 2181 and ps aux | grep zookeeper, the output below shows that Zookeeper is running and listening on port 2181:
root#devel-2:~# netstat -tulnp | grep 2181
tcp6 0 0 :::2181 :::* LISTEN 3366/java
root#devel-2:~# ps aux | grep zookeeper
root 3366 0.0 0.6 3474796 26000 ? Sl Dec16 1:43 java -Dzookeeper.log.dir=. -Dzookeeper.root.logger=INFO,CONSOLE -cp /usr/share/java/zookeeper-3.4.10/bin/../build/classes:/usr/share/java/zookeeper-3.4.10/bin/../build/lib/*.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/slf4j-api-1.6.1.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/netty-3.10.5.Final.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/jline-0.9.94.jar:/usr/share/java/zookeeper-3.4.10/bin/../zookeeper-3.4.10.jar:/usr/share/java/zookeeper-3.4.10/bin/../src/java/lib/*.jar:/etc/zookeeper/conf/: -Dsun.security.krb5.debug=true -Dlog4j.configuration=file:/etc/zookeeper/conf/log4j.properties -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper.jaas -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.local.only=false org.apache.zookeeper.server.quorum.QuorumPeerMain /etc/zookeeper/conf/zoo.cfg
UPDATE: The software versions are:
Kerberos 5 version 1.12.1
Zookeeper 3.4.10
Kafka 0.11.0.0
UPDATE: Below is the content of my /etc/krb5.conf file:
[libdefaults]
default_realm = EIGENROUTE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
EIGENROUTE.COM = {
kdc = krb.eigenroute.com
admin_server = krb.eigenroute.com
default_domain = eigenroute.com
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.eigenroute.com = EIGENROUTE.COM
eigenroute.com = EIGENROUTE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Hello Community and first things First:
dovecot --version
2.2.9
dovecot -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-042stab125.5 x86_64 Ubuntu 14.04.5 LTS
auth_mechanisms = plain login
dict {
sqlquota = mysql:/etc/dovecot/dovecot-dict-sql.conf
}
listen = *,[::]
log_timestamp = "%Y-%m-%d %H:%M:%S "
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k
mail_fsync = always
mail_home = /var/vmail/%d/%n
mail_location = maildir:~/
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = quota acl
vmanagesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
mmap_disable = yes
namespace {
list = yes
location = maildir:%%h/:INDEXPVT=~/Shared/%%u
prefix = Shared/%%u/
separator = /
subscriptions = yes
type = shared
}
namespace inbox {
inbox = yes
location =
mailbox Archiv {
special_use = \Archive
}
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Archives {
special_use = \Archive
}
mailbox "Deleted Messages" {
special_use = \Trash
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Entwürfe {
special_use = \Drafts
}
mailbox "Gelöschte Objekte" {
special_use = \Trash
}
mailbox Gesendet {
special_use = \Sent
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Papierkorb {
special_use = \Trash
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
plugin {
acl = vfile
acl_anyone = allow
acl_shared_dict = file:/var/vmail/shared-mailboxes.db
quota = dict:User quota::proxy::sqlquota
quota_rule2 = Trash:storage=+100%%
sieve = /var/vmail/sieve/%u.sieve
sieve_after = /var/vmail/sieve/global.sieve
sieve_max_script_size = 1M
sieve_quota_max_scripts = 0
sieve_quota_max_storage = 0
}
protocols = imap sieve lmtp pop3
service auth {
unix_listener /var/spool/postfix/private/auth_dovecot {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
mode = 0600
user = vmail
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = root
}
service dict {
unix_listener dict {
group = vmail
mode = 0660
user = vmail
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
user = vmail
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
process_min_avail = 2
service_count = 1
vsz_limit = 128 M
}
service managesieve {
process_limit = 256
}
ssl_cert = </etc/ssl/mail/mail.crt
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECD H:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5 :!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128- SHA:AES128-SHA
ssl_dh_parameters_length = 2048
ssl_key = </etc/ssl/mail/mail.key
ssl_protocols = !SSLv3 !SSLv2
userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
protocol imap {
mail_plugins = quota imap_quota imap_acl acl
}
protocol lmtp {
auth_socket_path = /var/run/dovecot/auth-master
mail_plugins = quota sieve acl
postmaster_address = postmaster#domain1.com
}
protocol sieve {
managesieve_logout_format = bytes=%i/%o
}
remote 127.0.0.1 {
disable_plaintext_auth = no
}
Mail.err
Nov 13 23:59:06 webdev dovecot: auth: Error: PLAIN(account#domain2.com, XXX.XXX.XXX.XXX,<y869CoDETEST4dHk>): Request 29154.1 timed out after 150 secs, state=1
Mail.log
Nov 13 23:27:54 webdev dovecot: auth: Error: LOGIN(account#domain1.com,IP.IP.IP.IP,<oN4ly+TestDZ6dHk>): Request 28118.1 timed out after 150 secs, state=1
Nov 13 23:27:57 webdev dovecot: auth: Error: PLAIN( account#domain2.com,XXX.XXX.XXX.XXX,<FAxKe+JaatES7tHk>): Request 28120.1 timed out after 150 secs, state=1
Nov 13 23:28:24 webdev dovecot: imap-login: Disconnected: Inactivity during authentication (disconnected while authenticating, waited 180 secs): user=<>, method=LOGIN, rip=ClientIP, lip=ServerIP, TLS: Disconnected, TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[...]
Nov 13 23:47:15 webdev dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=84.119.151.17, lip=62.75.185.32
I did not change anything on my client nor serverside setup and i suddenly could not reach the Mailserver anymore. Obviously I can reach the Server using SSH or HTTP.
I hope I provided all infos you need to help me in this situation. And am grateful for every hint to solve this as I dont even have a clue what to look for.
The error messages are talking about a timeout on the authentication, and the config shows that the authentication is using a MySQL database. For this reason I would check if the MySQL process is still up, or restart the service (if it's running as a service, which is probably the case).
I have some trouble in getting my kadmin to work. Everything is fine in kadmin.local, but whenever I use kadmin, it seems it is using the kadm5.acl file, but isn't.
I have in this file:
$ cat /var/kerberos/krb5kdc/kadm5.acl
*/admin#HADOOP.COM *
kadmin can connect to the kdc server correctly, and dns lookup and reverse dns is working also.
My krb5.conf is like this:
$ cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
and $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
So when I try to perform an operation such as add a principal, or get the list of principals I get :
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
I really don't know where is the problem in my configuration.
I even tried to get a ticket before using kadmin console:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/admin#HADOOP.COM
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/HADOOP.COM#HADOOP.COM
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thanks a lot for your help on that :)
Try editing /var/kerberos/krb5kdc/kadm5.acl with
*/admin#HADOOP.COM *
The kadmind daemon needs to be restarted in order for changes in the ACL file to become active:
service kadmind restart
I'm trying to get the kb5 file to run so that I can setup AD login for my box. when I run a kinit command I get an error stating that
"Improper format of Kerberos configuraiton file while initilizing Kerberos 5 library"
I'm relatively new to setting up AD on a Linux box, thus I'm unsure about the proper syntax for this configuration file
anything with a * is the local domain that I've just commented out. so it's BOXNAME.SOMETHING.LOCAL
BOXNAME is just the name of the box in the configuration file.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_relam = BOXNAME.*****
[realms]
nwcvco01.***** {
kdc = [IPADDRESS]
default_domain = BOXNAME.*****
}
[domain_realm]
.***** = BOXNAME.*****
***** = BOXNAME.*****
default_realm
is spelled incorrectly as
default_relam
Kerberos is not very tolerant of errors in krb5.conf.