API tools faq
paste
Guest User

Untitled

a guest
Feb 2nd, 2018
315
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.97 KB | None | 0 0
raw download clone embed print report
  1. $ sudo apt-get install krb5-{admin-server,kdc} -y
  2.  
  3. 127.0.0.1 localhost
  4. 192.168.1.2 client.domain.tld client
  5. 192.168.1.3 kdc.domain.tld kdc
  6.  
  7. domain domain.tld
  8. search domain.tld
  9. nameserver 192.168.1.1
  10. nameserver 8.8.8.8
  11. nameserver 8.8.4.4
  12.  
  13. [libdefaults]
  14. default_realm = DOMAIN.TLD
  15. # The following krb5.conf variables are only for MIT Kerberos.
  16. kdc_timesync = 1
  17. ccache_type = 4
  18. forwardable = true
  19. proxiable = true
  20. # The following libdefaults parameters are only for Heimdal Kerberos.
  21. fcc-mit-ticketflags = true
  22. [realms]
  23. DOMAIN.TLD = {
  24. kdc = kdc.domain.tld
  25. admin_server = kdc.domain.tld
  26. default_domain = domain.tld
  27. }
  28. [domain_realm]
  29. .domain.tld = DOMAIN.TLD
  30. domain.tld = DOMAIN.TLD
  31. [logging]
  32. default = FILE:/var/log/kerberos/krb5-libs.log
  33. kdc = FILE:/var/log/kerberos/krb5-kdc.log
  34. admin_server = FILE:/var/log/kerberos/krb5-admin.log
  35.  
  36. K/M@DOMAIN.TLD
  37. userid/admin@DOMAIN.TLD
  38. userid@TLD.TLD
  39. host/kdc.domain.tld@DOMAIN.TLD
  40. kadmin/admin@DOMAIN.TLD
  41. kadmin/changepw@DOMAIN.TLD
  42. kadmin/kdc.domain.tld@DOMAIN.TLD
  43. kiprop/kdc.domain.tld@DOMAIN.TLD
  44. krbtgt/DOMAIN.TLD@DOMAIN.TLD
  45.  
  46. $ iptables -S (on the KDC server, where I've disabled ufw):
  47. -P INPUT ACCEPT
  48. -P FORWARD ACCEPT
  49. -P OUTPUT ACCEPT
  50. -N ufw-after-forward
  51. -N ufw-after-input
  52. -N ufw-after-logging-forward
  53. -N ufw-after-logging-input
  54. -N ufw-after-logging-output
  55. -N ufw-after-output
  56. -N ufw-before-forward
  57. -N ufw-before-input
  58. -N ufw-before-logging-forward
  59. -N ufw-before-logging-input
  60. -N ufw-before-logging-output
  61. -N ufw-before-output
  62. -N ufw-reject-forward
  63. -N ufw-reject-input
  64. -N ufw-reject-output
  65. -N ufw-track-forward
  66. -N ufw-track-input
  67. -N ufw-track-output
  68.  
  69. $ netstat -antup | grep krb (output on the KDC server):
  70. tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 528/krb5kdc
  71. tcp6 0 0 :::88 :::* LISTEN 528/krb5kdc
  72. udp 0 0 0.0.0.0:750 0.0.0.0:* 528/krb5kdc
  73. udp 0 0 0.0.0.0:88 0.0.0.0:* 528/krb5kdc
  74. udp6 0 0 :::750 :::* 528/krb5kdc
  75. udp6 0 0 :::88 :::* 528/krb5kdc
  76.  
  77. $ KRB5_TRACE=/dev/stdout kinit -V
  78. Using default cache: /tmp/krb5cc_1000
  79. Using principal: userid@DOMAIN.TLD
  80. Getting initial credentials for userid@DOMAIN.TLD
  81. Sending request (181 bytes) to DOMAIN.TLD
  82. Resolving hostname kdc.domain.tld
  83. Sending initial UDP request to dgram 192.168.1.3:88
  84. Received answer (274 bytes) from dgram 192.168.1.3:88
  85. Response was not from master KDC
  86. Received error from KDC: -1765328359/Additional pre-authentication required
  87. Processing preauth types: 136, 19, 2, 133
  88. Selected etype info: etype aes256-cts, salt "DOMAIN.TLDuserid", params ""
  89. Received cookie: MIT
  90. Password for userid@DOMAIN.TLD:
  91. AS key obtained for encrypted timestamp: aes256-cts/000C
  92. ...etc
  93.  
  94. $ klist -f
  95. Ticket cache: FILE:/tmp/krb5cc_1000
  96. Default principal: userid@DOMAIN.TLD
  97.  
  98. Valid starting Expires Service principal
  99. mm/dd/yyyy hh:mm:ss mm/dd/yyyy hh:mm:ss krbtgt/DOMAIN.TLD@DOMAIN.TLD
  100. renew until mm/dd/yyyy hh:mm:ss, Flags: FPRIA
  101.  
  102. 127.0.0.1 localhost
  103. 192.168.1.2 client.domain.tld client
  104. 192.168.1.3 kdc.domain.tld kdc
  105.  
  106. domain domain.tld
  107. search domain.tld
  108. nameserver 192.168.1.1
  109. nameserver 8.8.8.8
  110. nameserver 8.8.4.4
  111.  
  112. $ ping -c1 kdc.domain.tld (from the client Linux system):
  113. PING kdc.domain.tld (192.168.1.3) 56(84) bytes of data.
  114. 64 bytes from kdc.domain.tld (192.168.1.3): icmp_seq=1 ttl=64 time=0.231 ms
  115.  
  116. --- kdc.domain.tld ping statistics ---
  117. 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  118. rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms
  119.  
  120. $ iptables -S (on the KDC server, where I've disabled ufw):
  121. -P INPUT ACCEPT
  122. -P FORWARD ACCEPT
  123. -P OUTPUT ACCEPT
  124. -N ufw-after-forward
  125. -N ufw-after-input
  126. -N ufw-after-logging-forward
  127. -N ufw-after-logging-input
  128. -N ufw-after-logging-output
  129. -N ufw-after-output
  130. -N ufw-before-forward
  131. -N ufw-before-input
  132. -N ufw-before-logging-forward
  133. -N ufw-before-logging-input
  134. -N ufw-before-logging-output
  135. -N ufw-before-output
  136. -N ufw-reject-forward
  137. -N ufw-reject-input
  138. -N ufw-reject-output
  139. -N ufw-track-forward
  140. -N ufw-track-input
  141. -N ufw-track-output
  142.  
  143. $ KRB5_TRACE=/dev/stdout kinit -V
  144. Using default cache: /tmp/krb5cc_1000
  145. Using principal: userid@DOMAIN.TLD
  146. Getting initial credentials for userid@DOMAIN.TLD
  147. Sending request (175 bytes) to DOMAIN.TLD
  148. Resolving hostname kdc.domain.tld
  149. Sending initial UDP request to dgram 192.168.1.3:88
  150. Resolving hostname kdc.domain.tld
  151. Sending initial UDP request to dgram 192.168.1.3:750
  152. Initiating TCP connection to stream 192.168.1.3:88
  153. Terminating TCP connection to stream 192.168.1.3:88
  154. kinit: Cannot contact any KDC for realm 'DOMAIN.TLD' while getting initial credentials
  155.  
  156. $ nmap -v -A --version-all -p88 kdc.domain.tld
  157. ...
  158. Nmap scan report for kdc.domain.tld (192.168.1.3)
  159. Host is up (0.00043s latency).
  160. PORT STATE SERVICE VERSION
  161. 88/tcp closed kerberos-sec
  162. ...
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!