Missing parms in kdc.conf

Fri Nov 26 06:17:49 EST 2004

Mark Sellers wrote:
> Yes, "kadmiin" was a typo.
> 
> So I executed kdb5_util destroy, and then executed the create.  Here
> are the results (bascially the same):
> 
> # kdb5_util create -s -r FOO
> Loading random data
> Initializing database '/var/lib/krb5kdc/principal' for realm 'FOO',
> master key name 'K/M at FOO'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_util: Required parameters in kdc.conf missing while initializing
> the Kerberos admin interface
> 
> # kadmin.local
> Authenticating as principal root/admin at FOO with password.
> kadmin.local: Required parameters in kdc.conf missing while
> initializing kadmin.local interface

Okay try another kdb5_util database dump to see which principals have 
been created.

> 
> As far as config files are conerned, all look normal (at least for
> Debian) ... it seems to be finding everyting in its proper location.
> I can add erroneous junk to the krb5.conf and kdc.conf files, and
> kadmin will complain (thus, I know it's finding the files).
> 
> Obviously, there's no data in the keytab file yet ... can't get that
> far.
> 
> /var/lib/krb5kdc
> -rw-------  1 root root 8.0K Nov 25 10:45 principal
> -rw-------  1 root root 8.0K Nov 25 10:45 principal.kadm5
> -rw-------  1 root root    0 Nov 25 10:45 principal.kadm5.lock
> -rw-------  1 root root    0 Nov 25 10:45 principal.ok
> 
> /etc/krb5kdc
> -rw-------  1 root root   0 Nov 22 21:26 dict
> -rw-------  1 root root  18 Nov 21 17:43 kadm5.acl
> -rw-------  1 root root 785 Nov 25 10:42 kdc.conf
> -rw-------  1 root root  30 Nov 25 10:45 stash
> 
> /etc
> -rw-r--r--  1 root root 1.3K Nov 25 10:44 krb5.conf
> -rw-------  1 root root    0 Nov 23 00:44 krb5.keytab

Everything appears okay.  kadmin.local ignores the acl file but make 
sure the file reads ;
root/admin at FOO		*

> 
> For reference, here are the config file contents (again):
> 
> --------------------------------------------------------------------
> krb5.conf
> --------------------------------------------------------------------
> 
> [libdefaults]
> default_realm = FOO
> dns_lookup_realm = false
> dns_lookup_kdc = false
> kdc_timesync = 1
> ccache_type = 4
> default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
> des3-cbc-sha1 des-hmac-sha1 des-cbc-md5
> default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
> des3-cbc-sha1 des-hmac-sha1 des-cbc-md5
> permitted_enctypes   = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
> des3-cbc-sha1 des-hmac-sha1 des-cbc-md5
> 
> [realms]
> FOO = {
>    kdc = kerberos.FOO
>    admin_server = kerberos.FOO
>    default_domain = FOO
> }
> 
> [domain_realm]
> .FOO = FOO
> 
> [logging]
> kdc = SYSLOG:INFO:AUTH
> admin_server = SYSLOG:ERR:DAEMON
> default = SYSLOG:ERR:DAEMON

Everything appears okay here also, but lets simplify the file.  Under 
lidefaults get ride of everything except the default_realm.  Add foo = 
FOO and change .FOO = FOO to .foo = FOO under domain_realm (case is 
important.)
> 
> --------------------------------------------------------------------
> kdc.conf
> --------------------------------------------------------------------
> 
> [kdcdefaults]
> 
> [realms]
> FOO = {
>    database_name = /var/lib/krb5kdc/principal
>    admin_keytab = /etc/krb5kdc/kadm5.keytab
>    acl_file = /etc/krb5kdc/kadm5.acl
>    key_stash_file = /etc/krb5kdc/stash
>    dict_file = /etc/krb5kdc/dict
>    max_life = 10h 0m 0s
>    max_renewable_life = 7d 0h 0m 0s
>    master_key_type = des3-hmac-sha1
>    supported_enctypes = des3:normal des-hmac-sha1:normal des-hmac-sha1:v4 des-cbc-md5:normal des-cbc-md5:v4 arcfour:normal arcfour:v4
>    default_principal_flags = +preauth
> }
> 
> 

Lets simplify here too.  Change supported_enctypes to 
des3-hmac-sha1:normal des-cbc-crc:normal.  Delete the 
default_principal_flags.

If the database dump does not show the additional kadmin principals I 
mentioned before or the kadmin.local still complains about the kdc.conf 
then you might want to compile kerberos from source instead of a debian 
package.  Also double check and make sure krb5kdc and kadmind are not 
running, they are the kerberos daemons.