Kerberos basic questions

[Craig]

Hi,

I'm new to Kerberos and have found the existing documentation to be rather
incomplete. I'm running Heimdal Kerberos on Debian and have successfully got
a KDC and client working with a PAM module for initial login.

However I'm having problems with several other things.
1. User 'tester' has a ~/.k5login which contains 'userA'
   When 'userA' types 'kinit' to get credentials, then types 'ksu tester'
   it is prompted with tester's password (thought it would not have needed this)

   When providing tester's password, Kerberos gives the following error:
   ksu: krb5_verify_user: No such entry in the database

2. On the client machine I want to do some basic administration. The kadmind
   service is running in /etc/inetd.conf and TCP wrappers allows incoming
   requests. Simply typing kadmin, I then type list * for a list of accounts.
   and get the following error message:
   kadmin> list *
   kadmin: get *: Operation requires `get' privilege

   On the server my /var/lib/heimdal-kdc/kdc.conf has the acl file called
   kadmind.acl . This file did not exist so I created it then added the
   following entry:
   */admin at MY.REALM     *

3. Lastly, I'm not entirely sure about /etc/krb5.keytab and /etc/srvtab.

   From my understanding /etc/srvtab is used only for Kerberos IV.
   Is /etc/krb5.keytab only supposed to contain principle entries, not normal
   accounts?
   For example, to create a user account I do
           kadmin> add userA
   And to add a principle account I do
           kadmin> add -r host/hostname
           kadmin> ext_keytab

   When trying to do some remote administration on another machine, it
   complained about a non-existing /etc/krb5.keytab . This file only exists on
   my KDC. Should it exist on all machiens where remote administration is
   required as well?

Looking forward to some answers.
Regards,

Craig