Univention Bugzilla – Bug 30314
ssh kerberos authentication fails is ucc client was joined without a pre-existing udm object
Last modified: 2023-06-28 10:33:27 CEST
UCS Master with ucc-integration and one ucc client (thinclient image). The client was joind without a pre-existing udm computer object. Ssh kerberos login to this client is not possible. (If i join a client with an existing udm computer object the ssh kerberos login works fine.) kdc.log on the ucs master: 2013-02-06T16:17:28 TGS-REQ test1@AGO.RUM from IPv4:10.200.7.123 for host/myucc@AGO.RUM [canonicalize, proxiable, forwardable] 2013-02-06T16:17:28 Searching referral for myucc 2013-02-06T16:17:28 Server not found in database: host/myucc@AGO.RUM: No such entry in the database 2013-02-06T16:17:28 Failed building TGS-REP to IPv4:10.200.7.123 2013-02-06T16:17:28 sending 107 bytes to IPv4:10.200.7.123 2013-02-06T16:17:28 TGS-REQ test1@AGO.RUM from IPv4:10.200.7.123 for host/myucc@AGO.RUM [proxiable, forwardable] 2013-02-06T16:17:28 Server not found in database: host/myucc@AGO.RUM: no such entry found in hdb 2013-02-06T16:17:28 Failed building TGS-REP to IPv4:10.200.7.123 2013-02-06T16:17:28 sending 107 bytes to IPv4:10.200.7.123 2013-02-06T16:17:28 TGS-REQ test1@AGO.RUM from IPv4:10.200.7.123 for host/myucc@AGO.RUM [canonicalize, proxiable, forwardable] 2013-02-06T16:17:28 Searching referral for myucc 2013-02-06T16:17:28 Server not found in database: host/myucc@AGO.RUM: No such entry in the database 2013-02-06T16:17:28 Failed building TGS-REP to IPv4:10.200.7.123 2013-02-06T16:17:28 sending 107 bytes to IPv4:10.200.7.123 2013-02-06T16:17:28 TGS-REQ test1@AGO.RUM from IPv4:10.200.7.123 for host/myucc@AGO.RUM [proxiable, forwardable] 2013-02-06T16:17:28 Server not found in database: host/myucc@AGO.RUM: no such entry found in hdb 2013-02-06T16:17:28 Failed building TGS-REP to IPv4:10.200.7.123 2013-02-06T16:17:28 sending 107 bytes to IPv4:10.200.7.123 2013-02-06T16:17:28 TGS-REQ test1@AGO.RUM from IPv4:10.200.7.123 for host/myucc@AGO.RUM [canonicalize, proxiable, forwardable] 2013-02-06T16:17:28 Searching referral for myucc 2013-02-06T16:17:28 Server not found in database: host/myucc@AGO.RUM: No such entry in the database 2013-02-06T16:17:28 Failed building TGS-REP to IPv4:10.200.7.123 2013-02-06T16:17:28 sending 107 bytes to IPv4:10.200.7.123 2013-02-06T16:17:28 TGS-REQ test1@AGO.RUM from IPv4:10.200.7.123 for host/myucc@AGO.RUM [proxiable, forwardable] 2013-02-06T16:17:28 Server not found in database: host/myucc@AGO.RUM: no such entry found in hdb 2013-02-06T16:17:28 Failed building TGS-REP to IPv4:10.200.7.123 2013-02-06T16:17:28 sending 107 bytes to IPv4:10.200.7.123 kadmin on the master: kadmin -l dump| grep myucc host/myucc.ago.rum@AGO.RUM 1::18:9B5684204EA9361870AC83BDB15916CA77903EC9750DD01C2CC030E1F28014F6:3/"AGO.RUMhostmyucc.ago.rum"::17:8EEC122AB997F31916A0CCAD93077F58:3/"AGO.RUMhostmyucc.ago.rum"::16:5EA2FB46F43B8C809D612575D023A2613B02673EDF617CDA:3/"AGO.RUMhostmyucc.ago.rum"::23:91ADB990EBAFB48144A04EC7C2742F48:3/"AGO.RUMhostmyucc.ago.rum"::3:011A5D32B0B6D51A:3/"AGO.RUMhostmyucc.ago.rum"::2:011A5D32B0B6D51A:3/"AGO.RUMhostmyucc.ago.rum"::1:011A5D32B0B6D51A:3/"AGO.RUMhostmyucc.ago.rum" 20130206150312:UNKNOWN - - - - 86400 604800 126 - - computer object of the client: dn: cn=myucc,cn=computers,dc=ago,dc=rum macAddress: 52:54:00:64:42:e2 cn: myucc krb5PrincipalName: host/myucc.ago.rum@AGO.RUM objectClass: top objectClass: person objectClass: univentionHost objectClass: univentionCorporateClient objectClass: krb5Principal objectClass: krb5KDCEntry objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: univentionObject uidNumber: 2017 sambaAcctFlags: [W ] krb5MaxLife: 86400 uid: myucc$ userPassword:: e2NyeXB0fSQ2JHJQVkVXUGJFM0NIWVduaEEkRXQwMEIvSzZPMHE3WWZKazFPNkJ xNG5VMmNiY2E0ampyWjA5L1F0QWJWWm8xUlR3aEFGOTkyYk1oRnNvY3RteEJhQ2dOU1lEVFNYMUkx Wk95L3pUNzA= krb5Key:: MFKhKzApoAMCARKhIgQgm1aEIE6pNhhwrIO9sVkWyneQPsl1DdAcLMAw4fKAFPaiIzAh oAMCAQOhGgQYQUdPLlJVTWhvc3RteXVjYy5hZ28ucnVt krb5Key:: MEKhGzAZoAMCARGhEgQQjuwSKrmX8xkWoMytkwd/WKIjMCGgAwIBA6EaBBhBR08uUlVN aG9zdG15dWNjLmFnby5ydW0= krb5Key:: MEqhIzAhoAMCARChGgQYXqL7RvQ7jICdYSV10COiYTsCZz7fYXzaoiMwIaADAgEDoRoE GEFHTy5SVU1ob3N0bXl1Y2MuYWdvLnJ1bQ== krb5Key:: MEKhGzAZoAMCARehEgQQka25kOuvtIFEoE7HwnQvSKIjMCGgAwIBA6EaBBhBR08uUlVN aG9zdG15dWNjLmFnby5ydW0= krb5Key:: MDqhEzARoAMCAQOhCgQIARpdMrC21RqiIzAhoAMCAQOhGgQYQUdPLlJVTWhvc3RteXVj Yy5hZ28ucnVt krb5Key:: MDqhEzARoAMCAQKhCgQIARpdMrC21RqiIzAhoAMCAQOhGgQYQUdPLlJVTWhvc3RteXVj Yy5hZ28ucnVt krb5Key:: MDqhEzARoAMCAQGhCgQIARpdMrC21RqiIzAhoAMCAQOhGgQYQUdPLlJVTWhvc3RteXVj Yy5hZ28ucnVt krb5MaxRenew: 604800 aRecord: 10.200.7.200 loginShell: /bin/sh univentionObjectType: computers/ucc krb5KDCFlags: 126 sambaNTPassword: 91ADB990EBAFB48144A04EC7C2742F48 univentionCorporateClientBootRepartitioning: FALSE displayName: myucc associatedDomain: ago.rum sambaSID: S-1-5-21-1328397876-1071492324-1018362091-5034 krb5KeyVersionNumber: 1 sn: myucc homeDirectory: /dev/null gidNumber: 5007 sambaPrimaryGroupSID: S-1-5-21-1328397876-1071492324-1018362091-11015 univentionCorporateClientBootVariant: none keytab on the client: -> ktutil --keytab=/etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal Aliases 1 arcfour-hmac-md5 host/myucc.ago.rum@AGO.RUM 1 aes128-cts-hmac-sha1-96 host/myucc.ago.rum@AGO.RUM 1 aes256-cts-hmac-sha1-96 host/myucc.ago.rum@AGO.RUM
UCC is EoL