mit kerberosv5 1.2.7 - kadmin wont connect - please help
Yan
ymercier at mxtest.homedns.org
Wed Apr 2 22:09:39 EST 2003
Now it works
For your information, the problem was that the KDC
was listening only on port 88 and not 750, so kinit and
kadmind was unable to communicate with it.
Apache authentication with mod_auth_kerb works fine.
I tried to authenticate my solaris8 box with the bundled
PAM_Kerb5 module, and it doesnt work because
Sun SEAM Kdc is working with a SecureRPC method
different than the one MIT Kerberos use.
Is there a way to authenticate my solaris clients
with the MIT kerberos KDC ?
Thank you,
Yan
--------------
> > Heres the messages I exchanged with Srini
> > from the newsgroup, the problem remains unsolved
> > looking forward for more help
> >
> > Yan
> >
> >
> > Hi group,
> > I compiled it from source on Solaris8.
> > I followed the installation guide, created an admin
> > principal, an ACL, filled krb5.conf and kdc.conf.
> > The installation as /opt/k5 for --prefix so I created
> > /opt/k5/etc and /opt/k5/var manually to put my config
> > files.
> >
> > When starting krb5kdc this port appears :
> > -begin-------------------------------------------------------
> > UDP: IPv4
> > 192.168.0.8.88 Idle
> > -end-------------------------------------------------------
> >
> > and the ports for kadmind :
> > -begin-------------------------------------------------------
> > UDP: IPv4
> > *.464 Idle
> > TCP: IPv4
> > *.749 *.* 0 0 24576 0
> LISTEN
> > -end-------------------------------------------------------
> >
> > So I assume my servers are up and running, the procs
> > are in ps -ef output as well.
> >
> > kadmin.local works here is the getprincs output:
> > -begin-------------------------------------------------------
> > kadmin.local: getprincs
> > K/M at NEOTOKYO.COM
> > kadmin/admin at NEOTOKYO.COM
> > kadmin/changepw at NEOTOKYO.COM
> > kadmin/history at NEOTOKYO.COM
> > krbtgt/NEOTOKYO.COM at NEOTOKYO.COM
> > yan/admin at NEOTOKYO.COM
> > -end-------------------------------------------------------
> >
> > I found while googling that someone has had this problem
> > before, and he was told to make sure that its host file was
> > configured to have the FQDN of the machine appearing first
> > in the host file for that IP. It didnt solved my problem.
> >
> > Heres the problem :
> > -begin-------------------------------------------------------
> > sun2# kadmin -p yan/admin at NEOTOKYO.COM
> > Authenticating as principal yan/admin at NEOTOKYO.COM with password.
> > kadmin: Cannot contact any KDC for requested realm while initializing
> > kadmin
> > interface
> > -end-------------------------------------------------------
> >
> > Here is my krb5.conf file :
> > -begin-------------------------------------------------------
> > [libdefaults]
> > ticket_lifetime = 600
> > default_realm = NEOTOKYO.COM
> > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
> >
> > [realms]
> > NEOTOKYO.COM = {
> > kdc = SUN2.NEOTOKYO.COM
> > admin_server = SUN2.NEOTOKYO.COM
> > default_domain = NEOTOKYO.COM
> > }
> >
> > [domain_realm]
> > .neotokyo.com = NEOTOKYO.COM
> > neotokyo.com = NEOTOKYO.COM
> >
> > [logging]
> > kdc = FILE:/opt/k5/var/krb5kdc/kdc.log
> > admin_server = FILE:/opt/k5/var/krb5kdc/kadmin.log
> > -end-------------------------------------------------------
> >
> > Neither kdc.log nor kadmind.log are showing anything
> > special, not even the connection requests.
> >
> > You can reach me at ymercier at mxtest.homedns.org if you wish
> > to help
> >
> > Yannick
> >
> >
> > ________________________________________________
> >
> > ----------------------
> > Hi,
> > Try to get the TGT first by giving the command "kinit <principal
name>".
> >
> > Did you update the /etc/services file with the following services:
> > kerberos 88/udp kdc # Kerberos authentication (udp)
> > kerberos 88/tcp kdc # Kerberos authentication (tcp)
> > krb5_prop 754/tcp # Kerberos slave propagation
> > kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
> > kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
> > eklogin 2105/tcp # Kerberos encrypted rlogin
> >
> > Also what does your kdc.conf look like and where(path) is it exactly.
> >
> > Good Luck,
> > Srini
> >
> > -------------------
> > Hi,
> > my /etc/services wasnt updated so I added the entries you specified
> > below, thank you
> >
> > The problem is still here though :
> > -begin-------------------------------
> > sun2# kinit -V yan/admin at NEOTOKYO.COM
> > kinit(v5): Cannot contact any KDC for requested realm while
> > getting initial credentials
> > -end-------------------------------
> >
> > Here is my kdc.conf :
> > -begin-------------------------------
> > sun2# pwd
> > /opt/k5/var/krb5kdc
> > sun2# cat kdc.conf
> > [kdcdefaults]
> > kdc_ports = 88
> >
> > [realms]
> > NEOTOKYO.COM = {
> > database_name = /opt/k5/var/krb5kdc/principal
> > key_stash_file = /opt/k5/var/krb5kdc/.k5.NEOTOKYO.COM
> > kadmind_port = 749
> > admin_keytab = /opt/k5/var/krb5kdc/kadm5.keytab
> > acl_file = /opt/k5/var/krb5kdc/kadm5.acl
> > max_life = 10h 0m 0s
> > max_renewable_life = 7d 0h 0m 0s
> > master_key_type = des3-hmac-sha1
> > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> > des-cbc-crc:v4
> > kdc_supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal
> > des-cbc-crc:v4
> > }
> >
> > sun2#
> > -end----------------------------------------------
> >
> > ---------------------
> >
> > Hi Yan,
> > I think it is unable to locate the kdc. Where is your krb5.conf?
> > - it is currently in /opt/k5/etc - I think it is used by kadmin when
> > connecting
> > - because I tested it changing the hostname of the kdc in there and
> > sniffing the
> > - network, I see kadmin trying to connect to the other machine. The
thing
> I
> > - found strange is that it is trying to connect to a udp port which is
> not
> > - listening on the server. I have not specified any port in the config
> > files, I
> > - assumed the client and server would use the default ports..
> >
> > Copy the krb5.conf to /etc and check. Then Please try to kill the
krb5kdc
> > and
> > start it again.
> > - Ill try that this evening when back at home.
> >
> > Are you able to ping SUN2.NEOTOKYO.COM?
> > - Yep thats the same machine
> > Are the KDC and the client on the same m/c?
> > - Yep
> >
> > Cheers,
> > Srini
> >
>
> Can you run 'telnet SUN2.NEOTOKYO.COM 749' ?
>
> Christian.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list