mit kerberosv5 1.2.7 - kadmin wont connect - please help
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Apr 3 10:46:41 EST 2003
Yan wrote:
> Now it works
> For your information, the problem was that the KDC
> was listening only on port 88 and not 750, so kinit and
> kadmind was unable to communicate with it.
>
> Apache authentication with mod_auth_kerb works fine.
>
> I tried to authenticate my solaris8 box with the bundled
> PAM_Kerb5 module, and it doesnt work because
> Sun SEAM Kdc is working with a SecureRPC method
> different than the one MIT Kerberos use. >
SEAM clients work just fine for standard Kerberos exchanges.
The secure RPC differences only affect the use of administrative
tools like kadmin. Clients like 'kinit' and using pam_krb5
for authentication work just fine talking to SEAM or MIT
KDCs.
There are several SEAM patches for pam that you should try
to download. Also, verify that you have installed the
encryption pack for Solaris 8 SEAM (free unbundled download).
---
Patch 112390 delivers patches for the "domestic" krb5 library
(/usr/lib/gss/do/mech_krb5.so.1)
Patch 112237 delivers the same patches for the "global" krb5 library
(usr/lib/gss/gl/mech_krb5.so.1)
The "domestic" library is the one with full encryption support (for
Solaris 8).
For Solaris 9, there is no difference in the do and gl mechs, both
deliver encryption.
Thus, if you are patching a Solaris 8 system with crypto support,
use 112390.
---
Note, SEAM does not support Kerberos V4 in any way, so if you are
trying to use KrbV4 with SEAM, then you should expect it to fail.
> Is there a way to authenticate my solaris clients
> with the MIT kerberos KDC ?
Use 'kinit' just like you always do.
-Wyllys
>
> Thank you,
> Yan
> --------------
>
>
>>>Heres the messages I exchanged with Srini
>>>from the newsgroup, the problem remains unsolved
>>>looking forward for more help
>>>
>>>Yan
>>>
>>>
>>> Hi group,
>>> I compiled it from source on Solaris8.
>>> I followed the installation guide, created an admin
>>> principal, an ACL, filled krb5.conf and kdc.conf.
>>> The installation as /opt/k5 for --prefix so I created
>>> /opt/k5/etc and /opt/k5/var manually to put my config
>>> files.
>>>
>>> When starting krb5kdc this port appears :
>>> -begin-------------------------------------------------------
>>> UDP: IPv4
>>> 192.168.0.8.88 Idle
>>> -end-------------------------------------------------------
>>>
>>> and the ports for kadmind :
>>> -begin-------------------------------------------------------
>>> UDP: IPv4
>>> *.464 Idle
>>> TCP: IPv4
>>> *.749 *.* 0 0 24576 0
>>
>>LISTEN
>>
>>> -end-------------------------------------------------------
>>>
>>> So I assume my servers are up and running, the procs
>>> are in ps -ef output as well.
>>>
>>> kadmin.local works here is the getprincs output:
>>> -begin-------------------------------------------------------
>>> kadmin.local: getprincs
>>> K/M at NEOTOKYO.COM
>>> kadmin/admin at NEOTOKYO.COM
>>> kadmin/changepw at NEOTOKYO.COM
>>> kadmin/history at NEOTOKYO.COM
>>> krbtgt/NEOTOKYO.COM at NEOTOKYO.COM
>>> yan/admin at NEOTOKYO.COM
>>> -end-------------------------------------------------------
>>>
>>> I found while googling that someone has had this problem
>>> before, and he was told to make sure that its host file was
>>> configured to have the FQDN of the machine appearing first
>>> in the host file for that IP. It didnt solved my problem.
>>>
>>> Heres the problem :
>>> -begin-------------------------------------------------------
>>> sun2# kadmin -p yan/admin at NEOTOKYO.COM
>>> Authenticating as principal yan/admin at NEOTOKYO.COM with password.
>>> kadmin: Cannot contact any KDC for requested realm while initializing
>>> kadmin
>>> interface
>>> -end-------------------------------------------------------
>>>
>>> Here is my krb5.conf file :
>>> -begin-------------------------------------------------------
>>> [libdefaults]
>>> ticket_lifetime = 600
>>> default_realm = NEOTOKYO.COM
>>> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
>>> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>>>
>>> [realms]
>>> NEOTOKYO.COM = {
>>> kdc = SUN2.NEOTOKYO.COM
>>> admin_server = SUN2.NEOTOKYO.COM
>>> default_domain = NEOTOKYO.COM
>>> }
>>>
>>> [domain_realm]
>>> .neotokyo.com = NEOTOKYO.COM
>>> neotokyo.com = NEOTOKYO.COM
>>>
>>> [logging]
>>> kdc = FILE:/opt/k5/var/krb5kdc/kdc.log
>>> admin_server = FILE:/opt/k5/var/krb5kdc/kadmin.log
>>> -end-------------------------------------------------------
>>>
>>> Neither kdc.log nor kadmind.log are showing anything
>>> special, not even the connection requests.
>>>
>>> You can reach me at ymercier at mxtest.homedns.org if you wish
>>> to help
>>>
>>> Yannick
>>>
>>>
>>> ________________________________________________
>>>
>>>----------------------
>>> Hi,
>>> Try to get the TGT first by giving the command "kinit <principal
>
> name>".
>
>>> Did you update the /etc/services file with the following services:
>>> kerberos 88/udp kdc # Kerberos authentication (udp)
>>> kerberos 88/tcp kdc # Kerberos authentication (tcp)
>>> krb5_prop 754/tcp # Kerberos slave propagation
>>> kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
>>> kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
>>> eklogin 2105/tcp # Kerberos encrypted rlogin
>>>
>>> Also what does your kdc.conf look like and where(path) is it exactly.
>>>
>>> Good Luck,
>>> Srini
>>>
>>>-------------------
>>> Hi,
>>> my /etc/services wasnt updated so I added the entries you specified
>>> below, thank you
>>>
>>> The problem is still here though :
>>> -begin-------------------------------
>>> sun2# kinit -V yan/admin at NEOTOKYO.COM
>>> kinit(v5): Cannot contact any KDC for requested realm while
>>> getting initial credentials
>>> -end-------------------------------
>>>
>>> Here is my kdc.conf :
>>> -begin-------------------------------
>>> sun2# pwd
>>> /opt/k5/var/krb5kdc
>>> sun2# cat kdc.conf
>>> [kdcdefaults]
>>> kdc_ports = 88
>>>
>>> [realms]
>>> NEOTOKYO.COM = {
>>> database_name = /opt/k5/var/krb5kdc/principal
>>> key_stash_file = /opt/k5/var/krb5kdc/.k5.NEOTOKYO.COM
>>> kadmind_port = 749
>>> admin_keytab = /opt/k5/var/krb5kdc/kadm5.keytab
>>> acl_file = /opt/k5/var/krb5kdc/kadm5.acl
>>> max_life = 10h 0m 0s
>>> max_renewable_life = 7d 0h 0m 0s
>>> master_key_type = des3-hmac-sha1
>>> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
>>> des-cbc-crc:v4
>>> kdc_supported_enctypes = des3-hmac-sha1:normal
>
> des-cbc-crc:normal
>
>>> des-cbc-crc:v4
>>> }
>>>
>>> sun2#
>>>-end----------------------------------------------
>>>
>>>---------------------
>>>
>>>Hi Yan,
>>>I think it is unable to locate the kdc. Where is your krb5.conf?
>>> - it is currently in /opt/k5/etc - I think it is used by kadmin when
>>>connecting
>>> - because I tested it changing the hostname of the kdc in there and
>>>sniffing the
>>> - network, I see kadmin trying to connect to the other machine. The
>
> thing
>
>>I
>>
>>> - found strange is that it is trying to connect to a udp port which is
>>
>>not
>>
>>> - listening on the server. I have not specified any port in the config
>>>files, I
>>> - assumed the client and server would use the default ports..
>>>
>>>Copy the krb5.conf to /etc and check. Then Please try to kill the
>
> krb5kdc
>
>>>and
>>>start it again.
>>> - Ill try that this evening when back at home.
>>>
>>>Are you able to ping SUN2.NEOTOKYO.COM?
>>> - Yep thats the same machine
>>>Are the KDC and the client on the same m/c?
>>> - Yep
>>>
>>>Cheers,
>>>Srini
>>>
>>
>>Can you run 'telnet SUN2.NEOTOKYO.COM 749' ?
>>
>>Christian.
>>
>>
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list