August 18, 2010 at 2:22 am #42594
I’m trying to configure my Ubuntu servers to use zeroshell for authenticating usernames and passwords when someone tries to log in. I think I’ve installed and configured all the necessary packages on my first server to get this to work. If you want details of my process, I followed the Ubuntu instructions here for client installation (sections 5-5.1.3, though after it didn’t work I went back to the default pam configuration). The only change (besides example.com) was that I ran “sudo passwd” and logged in as root to do all the work.
When I run the commands, “getent passwd” and “getent group”, they return users and groups from my zeroshell, but I cannot log on with anything other than my root account. I cannot even log in with the local account that Ubuntu had me set up when installing everything (tried ssh and console login). Using “su –
” works for any account, but only when I am root. When I try the command kinit (as suggested for failed setups by the instructions) I get the response “kinit: Cannot contact any KDC for realm ‘MYFREENAME.DYNDNS.ORG’ while getting initial credentials”.
I ran a port scan on zeroshell, and it found open ports 21, 22, 53, 80, 110, 389, 443, 636, 749, and 1194. The list includes kerberos-adm, but not kerberos. I suspect the problem is somehow related, but I don’t really know what I’m doing here. Does zeroshell even support authenticating my Ubuntu logins? Is there anything special in zeroshell’s kerberos configuration to enable this?
Here is an excerpt from auth.log for a failed login:
Aug 17 19:30:49 file-server sshd: pam_krb5(sshd:auth): authentication failure; logname=jbo5112 uid=0 euid=0 tty=ssh ruser= rhost=localhost
Aug 17 19:30:49 file-server sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=jbo5112
Aug 17 19:30:49 file-server sshd: pam_winbind(sshd:auth): getting password (0x00000388)
Aug 17 19:30:49 file-server sshd: pam_winbind(sshd:auth): pam_get_item returned a password
Aug 17 19:30:49 file-server sshd: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Aug 17 19:30:49 file-server sshd: pam_ldap: error trying to bind as user "uid=jbo5112,ou=People,dc=myfreename,dc=dyndns,dc=org" (Invalid credentials)
I’ll post relevant configuration files if anyone requests them, but I don’t want to post a bunch of useless data.August 27, 2010 at 5:07 pm #50941
Ubuntu has a several kerberos zones preconfigured for MIT and Stanford. I commented them out, even though no instructions ever mention this.
Ubuntu Server 10.04 wasn’t running software to synchronize the time, which had drifted nearly 58 seconds, so I set that up. I hadn’t gotten an error related to this, which I’ve seen other posts mention, but it would eventually be a problem.
I neglected to configure reverse DNS in zeroshell, so I set that up for no real reason other than professionalism. Now it works. I’m guessing it was the DNS, but after all the fruitless labor, I don’t really care.February 2, 2011 at 3:38 am #50942
It appears the kerberos server has stability problems. I ran into this again and restarting the service fixed the issue.
You must be logged in to reply to this topic.