a bit more info could help here! it looks as if you're unable to contact
the kdc probably because of either a missing krb5.conf or some
DNS-related issues.
- what are you actually trying to do?
login to remote-host using ssh-gssapi authentication?
setting up krb for some other app e.g. openafs?
- what is your setup?
krb5.conf
do you have a keytab already set up?
are you in the same NW - i.e. no NAT hiding in the way?
- can you do a kinit succussfully?
- what is in your credentials cache afterwards?
klist -v
e.g. in my heimdal config, i would launch kadmin as follows, assuming a
compatible krb5.conf:
kadmin -p admin/krb -r MUSE.NET.NZ
i could add -a if my krb5.conf or DNS doesn't allow kadmin
to identify it indirectly
if you just want to krb-ssh to a remote host, then you don't need to set
up a keytab on the client side - just a krb5.conf should be enough.
but if you need to add a new host (i.e. one supporting a krb-dependent
service such as ktelnet or whatever) then you need:
## use same /etc/kerberosV/krb5.conf
sudo kadmin -p admin/krb@MUSE.NET.NZ
add --random-key host/newhost.muse.net.nz
ext --keytab=/etc/kerberosV/krb5.keytab host/newhost.muse.net.nz
exit
chmod 0400 /etc/kerberosV/krb5.keytab
& that works just fine.
kerberised ssh is possible if you enable it in the ssh_config (client
side) and sshd_config (server side). the options you need to change
(from memory!) are on sshd_config:
# Kerberos options
#KerberosAuthentication no
KerberosAuthentication ywa
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
& for ssh_config:
# GSSAPIAuthentication no
GSSAPIAuthentication yes
# GSSAPIDelegateCredentials no
GSSAPIDelegateCredentials yes
