Problems with Multiple Realms on One KDC
Matt Clausen
mclausen at csit.fsu.edu
Tue Jun 8 11:22:06 EDT 2004
I'm having a bit of a mental block with trying to establish multiple
realms on a single KDC. I have everything setup in my kdc.conf and
krb5.conf files but it's like the kdb5_util isnt reading the kdc.conf file.
Here's an excerpt from my kdc.conf file:
-------------------------- /etc/krb5/kdc.conf --------------------------
[kdcdefaults]
kdc_ports = 88
[realms]
<realm1> = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5kdc/principal
admin_database_name = /var/krb5kdc/principal.kadm5
admin_database_lockfile = /var/krb5kdc/principal.kadm5.lock
admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
acl_file = /var/krb5kdc/kadm5.acl
dict_file = /var/krb5kdc/kadm5.dict
key_stash_file = /var/krb5kdc/.k5.<realm1>
kadmin_port = 748
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
<realm2> = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5kdc/<realm2>/principal
admin_database_name = /var/krb5kdc/<realm2>/principal.kadm5
admin_database_lockfile = /var/krb5kdc/<realm2>/principal.kadm5.lock
admin_keytab = FILE:/var/krb5kdc/<realm2>/kadm5.keytab
acl_file = /var/krb5kdc/<realm2>/kadm5.acl
dict_file = /var/krb5kdc/kadm5.dict
key_stash_file = /var/krb5kdc/<realm2>/.k5.<realm2>
kadmin_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
-------------------------- /etc/krb5/kdc.conf --------------------------
Here's an excerpt from my krb5.conf file:
------------------------- /etc/krb5/krb5.conf -------------------------
[libdefaults]
ticket_lifetime = 600
default_realm = <realm1>
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
<realm1> = {
kdc = <kdc1>:88
kdc = <kdc2>:88
admin_server = <kdc1>:748
default_domain = csit.fsu.edu
}
<realm2> = {
kdc = <kdc1>:88
kdc = <kdc2>:88
admin_server = <kdc1>:749
default_domain = csit.fsu.edu
}
[domain_realm]
.csit.fsu.edu = <realm1>
csit.fsu.edu = <realm1>
[kdc]
profile = /etc/krb5/kdc.conf
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
[login]
krb4_convert = false
krb4_get_tickets = false
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
kinit = {
forwardable = true
renewable = true
}
------------------------- /etc/krb5/krb5.conf -------------------------
I've created the database with kdb5_util -r <realm2> -d
/var/krb5kdc/<realm2>/principal -sf /var/krb5kdc/<realm2>/.k5.<realm2>
create -s
Yet when I try to launch krb5kdc -r <realm1> -r <realm2> I get this:
krb5kdc: Cannot find/read stored master key - while fetching master key
K/M for realm <realm2>
Realm #1 works fine by itself, but when I try to bring the second one
in, that's when all the problems occur.
More information about the Kerberos
mailing list