Solaris 10

Douglas E. Engert deengert at anl.gov
Mon Jan 9 10:23:34 EST 2006 


Rodrick Brown wrote:

> i'm trying to setup kerberos with the default KRB5 that comes stock 
> with Solaris 10 i'm running into the same problem over and over, no 
> matter what system I use or how many times I start from scratch. I'm 
> unable to get kadmind to start.
> 
> Jan 08 14:02:41 icarus krb5kdc[18679](info): AS_REQ 10.0.0.13(0): 
> CLIENT_NOT_FOUND: kadmin/icarus at PHUSNIKN.N
> ET for krbtgt/PHUSNIKN.NET at PHUSNIKN.NET, Client not found in Kerberos database
> Jan 08 14:02:41 icarus krb5kdc[18679](info): DISPATCH: repeated 
> (retransmitted?) request from 10.0.0.13 port
>  0, resending previous response
> 
The kadmin/icarus at PHUSNIKN.NET should be kadmin/icarus.phusnikn.net at PHUSNIKN.NET
i.e. host names in Kerberos are always FQDN.

Check the hostname, and /etc/hosts to make sure the FQDN is used.

> 
> Running: kinit -kt /etc/krb5/kadm5.keytab -c /tmp/krb-diag-cache.18720 
> kadmin/changepw
> kinit(v5): Key table entry not found while getting initial credentials

What are you trying to do here? For the admin functions, you would normally
have a user/admin at realm principal for each administrator, and use these
for administration commands.


To get started you can use kadmin.local on the master kdc machine to administer
the database. (You have the kadmind running as a daemon?) Then you can the use kadmin
program from other machines, if you have the user/admin principals correct in
the database.


> 
> Warning: kadmind not fully configured (can not get kadmin/changepw
> service principal ticket from /etc/krb5/kadm5.keytab).
> 
> Use the kadmin ktadd command to add this principal to the
> /etc/krb5/kadm5.keytab keytab:
> 
> ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
> Ignore this warning if this system is not a master KDC.
> -------------------------------------------------------
> 
> Warning: kadmind not fully configured (can not get kadmin/icarus.phusnikn.net
> service principal ticket from /etc/krb5/kadm5.keytab).
> Ignore this warning if this system is not a master KDC.
> 
> 
> --- krb5.conf ---
> 
> [libdefaults]
>         default_realm = PHUSNIKN.NET
> 
> [realms]
>         PHUSNIKN.NET = {
>                 kdc = icarus.phusnikn.net
>                 admin_server = icarus.phusnikn.net
>         }
> 
> [domain_realm]
>         .phusnikn.net = PHUSNIKN.NET
> 
> [logging]
>         default = FILE:/var/krb5/kdc.log
>         kdc = FILE:/var/krb5/kdc.log
>         kdc_rotate = {
>         period = 1d
>         versions = 10
>         }
> 
> [appdefaults]
>         kinit = {
>                 renewable = true
>                 forwardable= true
>         }
>         gkadmin = {
>                 help_url = 
> http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
>         }
> 
> ---  kdc.conf ---
> [kdcdefaults]
>         kdc_ports = 88,750
> 
> [realms]
>         PHUSNIKN.NET = {
>                 profile = /etc/krb5/krb5.conf
>                 database_name = /var/krb5/principal
>                 admin_keytab = /etc/krb5/kadm5.keytab
>                 acl_file = /etc/krb5/kadm5.acl
>                 kadmind_port = 749
>                 max_life = 8h 0m 0s
>                 max_renewable_life = 7d 0h 0m 0s
>                 default_principal_flags = +preauth
>                 sunw_dbprop_enable = true
>                 sunw_dbprop_master_ulogsize = 1000
>         }
> 
> Should I just junk SUN's implementation and use MIT's?
> 
> Anyone here successfully setup kerberos on Solaris 10?

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list