AIX 5.3 and GSSAPI

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've spent the last few days playing with GSSAPI auth on an AIX 5.3
server (4.1P1) with no success, I've already got this running perfectly
using on a linux testbed system using our AD as KDC using Windows 2000
with Putty (0.56b2 GSSAPI) as a client terminal. The AIX system is
correctly allowing users to authorise against KRB5A but the GSSAPI
single sign on from a client never seems to work.

The debug log from SSHD fails during gssapi-with-mic as follows:

debug1: userauth-request for user ianclark service ssh-connection method
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method gssapi-with-mic
debug3: mm_request_send entering: type 37
debug3: mm_request_receive_expect entering: type 38
debug3: monitor_read: checking request 37
debug3: mm_request_receive entering
debug1: Miscellaneous failure
No principal in keytab matches desired name

debug3: mm_request_send entering: type 38
debug3: mm_request_receive entering

We have created a host principle and installed it in the krb5 keytab as
per normal, SSHD doesn't need a service principle ?, but what principle
is SSHD looking for and what name ? Gssapi-with-mic is clearly being
attempted, with this error, putty returns an unable to initialise gssapi
context, yet connects to the Linux system immediately.

I'm a little confused, because our linux test worked within minutes of
configuration, any ideas ?

Re: AIX 5.3 and GSSAPI

Quoted text here. Click to load it

The word is "principal."

Quoted text here. Click to load it

Yes, it does, as does any kerberized service.  In this case, the service
principal *is* the host principal (as opposed to one referring
specifically to a protocol, e.g. imap/<fqdn>@REALM).

Quoted text here. Click to load it


Possible problems:

- The host may not have the right fqdn.  Check the result of

- Properties of the key may be incorrect with respect to the copy in the
  kdb.  Most common are the key version number (kvno) and key type.  This
  is very easy to get wrong when using a Windows KDC directly, since the
  tool ktpass.exe is misleading and buggy.

  Richard Silverman

Site Timeline