mit kerberosv5 1.2.7 - kadmin wont connect - please help
Christian
cgregoir99 at yahoo.com
Tue Apr 1 02:54:06 EST 2003
""Yan"" <ymercier at mxtest.homedns.org> wrote in message
news:009401c2f7b1$ed0adf60$cb003c0a at Domain3.McAfeeb2b.com...
> Heres the messages I exchanged with Srini
> from the newsgroup, the problem remains unsolved
> looking forward for more help
>
> Yan
>
>
> Hi group,
> I compiled it from source on Solaris8.
> I followed the installation guide, created an admin
> principal, an ACL, filled krb5.conf and kdc.conf.
> The installation as /opt/k5 for --prefix so I created
> /opt/k5/etc and /opt/k5/var manually to put my config
> files.
>
> When starting krb5kdc this port appears :
> -begin-------------------------------------------------------
> UDP: IPv4
> 192.168.0.8.88 Idle
> -end-------------------------------------------------------
>
> and the ports for kadmind :
> -begin-------------------------------------------------------
> UDP: IPv4
> *.464 Idle
> TCP: IPv4
> *.749 *.* 0 0 24576 0
LISTEN
> -end-------------------------------------------------------
>
> So I assume my servers are up and running, the procs
> are in ps -ef output as well.
>
> kadmin.local works here is the getprincs output:
> -begin-------------------------------------------------------
> kadmin.local: getprincs
> K/M at NEOTOKYO.COM
> kadmin/admin at NEOTOKYO.COM
> kadmin/changepw at NEOTOKYO.COM
> kadmin/history at NEOTOKYO.COM
> krbtgt/NEOTOKYO.COM at NEOTOKYO.COM
> yan/admin at NEOTOKYO.COM
> -end-------------------------------------------------------
>
> I found while googling that someone has had this problem
> before, and he was told to make sure that its host file was
> configured to have the FQDN of the machine appearing first
> in the host file for that IP. It didnt solved my problem.
>
> Heres the problem :
> -begin-------------------------------------------------------
> sun2# kadmin -p yan/admin at NEOTOKYO.COM
> Authenticating as principal yan/admin at NEOTOKYO.COM with password.
> kadmin: Cannot contact any KDC for requested realm while initializing
> kadmin
> interface
> -end-------------------------------------------------------
>
> Here is my krb5.conf file :
> -begin-------------------------------------------------------
> [libdefaults]
> ticket_lifetime = 600
> default_realm = NEOTOKYO.COM
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
> [realms]
> NEOTOKYO.COM = {
> kdc = SUN2.NEOTOKYO.COM
> admin_server = SUN2.NEOTOKYO.COM
> default_domain = NEOTOKYO.COM
> }
>
> [domain_realm]
> .neotokyo.com = NEOTOKYO.COM
> neotokyo.com = NEOTOKYO.COM
>
> [logging]
> kdc = FILE:/opt/k5/var/krb5kdc/kdc.log
> admin_server = FILE:/opt/k5/var/krb5kdc/kadmin.log
> -end-------------------------------------------------------
>
> Neither kdc.log nor kadmind.log are showing anything
> special, not even the connection requests.
>
> You can reach me at ymercier at mxtest.homedns.org if you wish
> to help
>
> Yannick
>
>
> ________________________________________________
>
> ----------------------
> Hi,
> Try to get the TGT first by giving the command "kinit <principal name>".
>
> Did you update the /etc/services file with the following services:
> kerberos 88/udp kdc # Kerberos authentication (udp)
> kerberos 88/tcp kdc # Kerberos authentication (tcp)
> krb5_prop 754/tcp # Kerberos slave propagation
> kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
> kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
> eklogin 2105/tcp # Kerberos encrypted rlogin
>
> Also what does your kdc.conf look like and where(path) is it exactly.
>
> Good Luck,
> Srini
>
> -------------------
> Hi,
> my /etc/services wasnt updated so I added the entries you specified
> below, thank you
>
> The problem is still here though :
> -begin-------------------------------
> sun2# kinit -V yan/admin at NEOTOKYO.COM
> kinit(v5): Cannot contact any KDC for requested realm while
> getting initial credentials
> -end-------------------------------
>
> Here is my kdc.conf :
> -begin-------------------------------
> sun2# pwd
> /opt/k5/var/krb5kdc
> sun2# cat kdc.conf
> [kdcdefaults]
> kdc_ports = 88
>
> [realms]
> NEOTOKYO.COM = {
> database_name = /opt/k5/var/krb5kdc/principal
> key_stash_file = /opt/k5/var/krb5kdc/.k5.NEOTOKYO.COM
> kadmind_port = 749
> admin_keytab = /opt/k5/var/krb5kdc/kadm5.keytab
> acl_file = /opt/k5/var/krb5kdc/kadm5.acl
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4
> kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4
> }
>
> sun2#
> -end----------------------------------------------
>
> ---------------------
>
> Hi Yan,
> I think it is unable to locate the kdc. Where is your krb5.conf?
> - it is currently in /opt/k5/etc - I think it is used by kadmin when
> connecting
> - because I tested it changing the hostname of the kdc in there and
> sniffing the
> - network, I see kadmin trying to connect to the other machine. The thing
I
> - found strange is that it is trying to connect to a udp port which is
not
> - listening on the server. I have not specified any port in the config
> files, I
> - assumed the client and server would use the default ports..
>
> Copy the krb5.conf to /etc and check. Then Please try to kill the krb5kdc
> and
> start it again.
> - Ill try that this evening when back at home.
>
> Are you able to ping SUN2.NEOTOKYO.COM?
> - Yep thats the same machine
> Are the KDC and the client on the same m/c?
> - Yep
>
> Cheers,
> Srini
>
Can you run 'telnet SUN2.NEOTOKYO.COM 749' ?
Christian.
More information about the Kerberos
mailing list