Kerberos basic questions

Tue Mar 18 20:19:13 EST 2003

Hi, I'm new to Kerberos and have some issues.

I'm running Heimdal Kerberos on Debian and have successfully got

a KDC and client working with a PAM module for initial login. However
I'm having problems with several other things.

1. User 'tester' has a ~/.k5login which contains 'userA'

   When 'userA' types 'kinit' to get credentials, then types 'ksu
tester'

   it is prompted with tester's password (thought it would not have
needed this)    When providing tester's password, Kerberos gives the
following error:

   ksu: krb5_verify_user: No such entry in the database 

2. On the client machine I want to do some basic administration. The
kadmind

   service is running in /etc/inetd.conf and TCP wrappers allows
incoming

   requests. Simply typing kadmin, I then type list * for a list of
accounts.

   and get the following error message:

   kadmin> list *

   kadmin: get *: Operation requires `get' privilege    On the server
my /var/lib/heimdal-kdc/kdc.conf has the acl file called

   kadmind.acl . This file did not exist so I created it then added
the

   following entry:

   */admin at MY.REALM     * 

3. Lastly, I'm not entirely sure about /etc/krb5.keytab and
/etc/srvtab.    From my understanding /etc/srvtab is used only for
Kerberos IV.

   Is /etc/krb5.keytab only supposed to contain principle entries, not
normal

   accounts?

   For example, to create a user account I do

           kadmin> add userA

   And to add a principle account I do

           kadmin> add -r host/hostname

           kadmin> ext_keytab    When trying to do some remote
administration on another machine, it

   complained about a non-existing /etc/krb5.keytab . This file only
exists on

   my KDC. Should it exist on all machiens where remote administration
is

   required as well? Looking forward to some answers.

Regards, Craig