Migrating a Kerberos Realm
Edward Murrell
edward at dlconsulting.com
Tue Nov 21 21:04:34 EST 2006
Hmm, yes, diagnostics would be helpful wouldn't they. :P
OK, so things have progressed slightly.
First mistake was finding EXAMPLE.COM in one of my addprincs, and
following your advice, and someone else noting that quite possible two
different encryption types were in use here, I've deleted the two
principles on each realm and run the following on each;
kadmin.local: addprinc -e aes256-cts-hmac-sha1-96:normal
krbtgt/OFFICE at DLCONSULTING.COM
kadmin.local: addprinc -e aes256-cts-hmac-sha1-96:normal
krbtgt/DLCONSULTING.COM at OFFICE
I also checked clock skew, just in case that was a problem, but openntpd
is doing it's job very well (< 3 seconds difference).
Now I get a string of errors like this;
Nov 22 14:57:55 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, <unknown client> for
host/atlas at OFFICE, Key table entry not found
Nov 22 14:57:56 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, <unknown client> for
host/atlas at OFFICE, Key table entry not found
(atlas being the host I am trying to log in to - Yes, I know that atlas
as the host name is very silly, but it does work for the moment due to
careful DNS wizardry, and an external properly defined host shows
exactly the same errors. I will start using proper fqdns as part of this
process)
As an added wrinkle, trying to log in to the kdc via kadmin gives me the
following errors and kdc log entries;
edward at black ~ $ kadmin -s becks -p edward/admin at DLCONSULTING.COM
Authenticating as principal edward/admin at DLCONSULTING.COM with password.
Password for edward/admin at DLCONSULTING.COM:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Nov 22 15:02:50 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: SERVER_NOT_FOUND: edward/admin at DLCONSULTING.COM for
kadmin/atlas.office at DLCONSULTING.COM, Server not found in Kerberos database
Nov 22 15:02:50 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: NEEDED_PREAUTH: edward/admin at DLCONSULTING.COM for
kadmin/admin at DLCONSULTING.COM, Additional pre-authentication required
Nov 22 15:02:51 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: ISSUE: authtime 1164160971, etypes {rep=16 tkt=16
ses=16}, edward/admin at DLCONSULTING.COM for kadmin/admin at DLCONSULTING.COM
I can actually kinit with both my edward at DLCONSULTING.COM and
edward/admin at DLCONSULTING.COM principles though - so now I'm just plain
confused.
Can anyone help?
Cheers
Edward
Ken Hornstein wrote:
>> addprinc -requires_preauth krbtgt/OFFICE at COMPANY.COM
>> addprinc -requires_preauth krbtgt/COMPANY.COM at OFFICE
>>
>>
>> And er... it doesn't work. Did I miss something?
>>
>
> Well, there are a few things you are missing. Like, for one ... you
> say it doesn't work. Well, what happens? Do you have an error message?
> Any diagnostics at all?
>
> First off ... are you really sure about the -requires_preauth flag? I
> am 95% sure you don't want it. (I know that documentation you list shows
> that; I am frankly rather surprised that it does, as I can think of only
> a few reasons why you would want that, and a whole bunch why you wouldn't).
> I doubt that's the real problem, though.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list