Kerberos basic questions
Craig
joeblow750 at hotmail.com
Tue Mar 18 20:19:13 EST 2003
Hi, I'm new to Kerberos and have some issues.
I'm running Heimdal Kerberos on Debian and have successfully got
a KDC and client working with a PAM module for initial login. However
I'm having problems with several other things.
1. User 'tester' has a ~/.k5login which contains 'userA'
When 'userA' types 'kinit' to get credentials, then types 'ksu
tester'
it is prompted with tester's password (thought it would not have
needed this) When providing tester's password, Kerberos gives the
following error:
ksu: krb5_verify_user: No such entry in the database
2. On the client machine I want to do some basic administration. The
kadmind
service is running in /etc/inetd.conf and TCP wrappers allows
incoming
requests. Simply typing kadmin, I then type list * for a list of
accounts.
and get the following error message:
kadmin> list *
kadmin: get *: Operation requires `get' privilege On the server
my /var/lib/heimdal-kdc/kdc.conf has the acl file called
kadmind.acl . This file did not exist so I created it then added
the
following entry:
*/admin at MY.REALM *
3. Lastly, I'm not entirely sure about /etc/krb5.keytab and
/etc/srvtab. From my understanding /etc/srvtab is used only for
Kerberos IV.
Is /etc/krb5.keytab only supposed to contain principle entries, not
normal
accounts?
For example, to create a user account I do
kadmin> add userA
And to add a principle account I do
kadmin> add -r host/hostname
kadmin> ext_keytab When trying to do some remote
administration on another machine, it
complained about a non-existing /etc/krb5.keytab . This file only
exists on
my KDC. Should it exist on all machiens where remote administration
is
required as well? Looking forward to some answers.
Regards, Craig
More information about the Kerberos
mailing list