Kerberos basic questions

Craig joeblow750 at hotmail.com
Tue Mar 18 20:19:13 EST 2003


Hi, I'm new to Kerberos and have some issues.







I'm running Heimdal Kerberos on Debian and have successfully got







a KDC and client working with a PAM module for initial login. However
I'm having problems with several other things.















1. User 'tester' has a ~/.k5login which contains 'userA'







   When 'userA' types 'kinit' to get credentials, then types 'ksu
tester'







   it is prompted with tester's password (thought it would not have
needed this)    When providing tester's password, Kerberos gives the
following error:







   ksu: krb5_verify_user: No such entry in the database 















2. On the client machine I want to do some basic administration. The
kadmind







   service is running in /etc/inetd.conf and TCP wrappers allows
incoming







   requests. Simply typing kadmin, I then type list * for a list of
accounts.







   and get the following error message:







   kadmin> list *







   kadmin: get *: Operation requires `get' privilege    On the server
my /var/lib/heimdal-kdc/kdc.conf has the acl file called







   kadmind.acl . This file did not exist so I created it then added
the







   following entry:







   */admin at MY.REALM     * 















3. Lastly, I'm not entirely sure about /etc/krb5.keytab and
/etc/srvtab.    From my understanding /etc/srvtab is used only for
Kerberos IV.







   Is /etc/krb5.keytab only supposed to contain principle entries, not
normal







   accounts?







   For example, to create a user account I do







           kadmin> add userA







   And to add a principle account I do







           kadmin> add -r host/hostname







           kadmin> ext_keytab    When trying to do some remote
administration on another machine, it







   complained about a non-existing /etc/krb5.keytab . This file only
exists on







   my KDC. Should it exist on all machiens where remote administration
is







   required as well? Looking forward to some answers.















Regards, Craig


More information about the Kerberos mailing list