Solaris 9, stock sshd, pam_krb5, MIT 1.4.3 KDC
Jeff Blaine
jblaine at kickflop.net
Wed May 17 16:42:28 EDT 2006
> Silly question time: exactly where do you think your kdc.conf
> is? I found a bunch of times that people would mistakenly
> place it in /etc, ... You could use a system call tracer to
> make sure it's reading the right file.
bash-2.05# truss -o /tmp/out kadmin.local -q "getprinc cvs/noodle.host.com"
bash-2.05# grep kdc.conf /tmp/out
stat("/export/home/krb5/var/krb5kdc/kdc.conf", 0xFFBFF250) Err#2 ENOENT
bash-2.05#
bash-2.05# truss -o /tmp/out -f /export/home/krb5/sbin/krb5kdc -n
^C
bash-2.05# grep kdc.conf /tmp/out
553: stat("/export/home/krb5/var/krb5kdc/kdc.conf", 0xFFBFF4A8) Err#2
ENOENT
553: stat("/export/home/krb5/var/krb5kdc/kdc.conf", 0xFFBFF370) Err#2
ENOENT
bash-2.05#
> and the KDC would happily start up without reading it.
And this is... okay with everyone? *scratches head*
> You forgot to append the salt here (the ":normal" part).
Yes.
> Perhaps that should be a default ... but it did tell you
> that the error was in parsing the keysalt (I dunno why
> it picks the first few letters of the enctype
> in that error message, but that's what it's doing).
The bug I was reporting was the truncated enctype error.
Well, at least my kdc.conf mystery is solved. Thanks, Ken.
*still worriedly scratching head*
More information about the Kerberos
mailing list