0

I would like to get some help to clear my thoughts for kerberos authentiction. I am confused with kerberos authentication flow.

I have three node in my system.

  1. (PS) Physical server (neither krb5-workstation nor krb5-lib are installed)
  2. (KC) KDC client (configured with this)
  3. (KS) KDC server (configured with this)

On KC , I have GSSAPIAuthentication enabled for sshd.

# GSSAPI options
GSSAPIAuthentication yes

However, I was expecting to login from PS to KC via ssh without any password prompt but instead , I get below error on PS.

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1000)

My question is ,

Am I missing a configuration or kerberos authentication is not available for non-KDC client (PS)?

Yu Watanabe
  • 606
  • 2
  • 8
  • 18

1 Answers1

0

The client ssh user must have a valid credential cache in order to use GSSAPIAuthentication. This is either done as part of the login process, pam_krb5 / pam_sss (auth_provider = krb5), or by kinit (part of krb5-workstation).

Some minimal configuration is usually necessary, if only to tell a kerberos client to use DNS to locate KDCs and domain_realm mappings.

84104
  • 12,698
  • 6
  • 43
  • 75