perl kadmin interface another one
Johannes russek
johannes.russek at io-consulting.net
Tue Aug 31 09:14:37 EDT 2004
(i wrote this mail to the author auf Authen::Krb5::Admin, but i didnt get
any answer yet, so i hope you guys can help me)
hello there,
i'm trying to use Authen::Krb5::Admin in my kerberos/ldap admin suite, but
while the script is written, the kadmin part is not working at all.
so i've written a small test script which looks like this:
#!/usr/bin/perl -w
use strict;
use Authen::Krb5;
use Authen::Krb5::Admin;
use Term::ReadKey;
Authen::Krb5::init_context() || die "could not initialize Kerberos
context!";
Authen::Krb5::init_ets() || die "could not initialize Kerberos error
table!";
ReadMode 2;
print "Passwort: ";
my $pass = ReadLine 0;
ReadMode 0;
print "\n";
my $kadmin =
Authen::Krb5::Admin->init_with_password($ENV{USER}."/admin",$pass) || die
"not working, dude: ",Authen::Krb5::Admin::error;
foreach ($kadmin->get_principals()) {
print $_, "\n";
}
while i'm able to login to kadmind with kadmin and my username/admin, and
being able to do any operations on the kadmin server, the same login
performed with perl ends up with:
duckel at serv01:~$ ./kadmintest.pl
Passwort:
not working, dude: Preauthentication failed at ./kadmintest.pl line 28,
<STDIN> line 1.
while the kdc shows up with:
Aug 25 19:48:39 serv01.io-consulting.net krb5kdc[28386](info): AS_REQ (3
etypes {16 3 1}) 80.237.203.27(88): NEEDED_PREAUTH:
username/admin at IO-CONSULTING.NET for kadmin/admin at IO-CONSULTING.NET,
Additional pre-authentication required
Aug 25 19:48:39 serv01.io-consulting.net krb5kdc[28386](info): preauth
(timestamp) verify failure: No matching key in entry
Aug 25 19:48:39 serv01.io-consulting.net krb5kdc[28386](info): AS_REQ (3
etypes {16 3 1}) 80.237.203.27(88): PREAUTH_FAILED:
username/admin at IO-CONSULTING.NET for kadmin/admin at IO-CONSULTING.NET,
Preauthentication failed
still, with kadmin tool it looks like:
Aug 25 19:44:47 serv01.io-consulting.net krb5kdc[28386](info): AS_REQ (3
etypes {16 1 3}) 80.237.203.27(88): NEEDED_PREAUTH:
username/admin at IO-CONSULTING.NET for
krbtgt/IO-CONSULTING.NET at IO-CONSULTING.NET, Additional pre-authentication
required
Aug 25 19:44:49 serv01.io-consulting.net krb5kdc[28386](info): AS_REQ (3
etypes {16 1 3}) 80.237.203.27(88): ISSUE: authtime 1093455889, etypes
{rep=16 tkt=16 ses=16}, username/admin at IO-CONSULTING.NET for
krbtgt/IO-CONSULTING.NET at IO-CONSULTING.NET
so, it seems there is a difference in the etypes field, because the perl
module uses (16 3 1) while kadmin does (16 1 3).
what did i do wrong?
best regards, johannes russek
More information about the Kerberos
mailing list