kadmin problem

Jeremy Thomas Hunt jeremyh at optimation.com.au
Wed Feb 14 01:56:27 EST 2007 

Scotty,

 From your entry in the kdc.log it looks to me like you do have a valid 
admin principal and your password is correct, so I am guessing your 
permissions for that principal are wrong.

Look in your /krb5/var/krb5kdc/kadm5.acl file on the kerberos master, to 
see if the principal you are using has any admin privileges.

If you do not find this file there, see if its location is defined in 
your kdc.conf file, which can also be found in the /krb5/var/krb5kdc
directory.

If you do not have a kadm5.acl file, then create it - but first make 
sure it is not defined as being somewhere else in your kdc.conf. If it 
is defined as being somewhere else, then you will be wasting your time 
creating and editing a new one.

The next step is to check if your principal, or a class of principals 
which your principal belongs to is defined in this file. If you do find 
a match then you need to see if you have the correct permissions for an 
administrator.

Read the man page for kadm5.acl, but to get you started, if you do not 
find a match then you could try entering
scotty/admin at SCOTTY.COMPANY.COM *
which should give your principal all privileges for all domains 
controlled by that kerberos master. After you have understood the man 
page you may want to generalise this entry or prune its permissions.

More gotchas to watch out for, I suspect you have to stop and start the 
kadmind process on the security server each time you change the 
kadm5.acl file.

By the way, you do have the kadmind process running on your security 
server don't you?

I hope this all helps you in any case.

Cheers,

Jeremy

scotty adams wrote:
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
>
>
>
> Hi,
>
> Here is the log line found under kdc.log
>
> Feb 11 15:50:50 scotty krb5kdc[17623](info): AS_REQ 192.168.1.12(88): ISSUE: authtime 1171216250, scotty/admin at SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.company.com at SCOTTIE.COMPANY.COM
>
> Times on both servers are identical
> Pls advise
>
> Thanks,
> scotty
>
>
>
> Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote: >Then what is the problem??? 
>   
>> How can it be solved? i am really stuck
>>     
>
> Sigh.  If nothing useful appears in kadmind or kdc logs ... well, the only
> way I know of to debug this problem is to run kadmin under the debugger
> and trace down the problem.  One thing comes to mind: it looks like you
> have NAT involved somewhere.  kadmin doesn't work from behind a NAT.
>
> --Ken
>
>
>  
> ---------------------------------
> Expecting? Get great news right away with email Auto-Check.
> Try the Yahoo! Mail Beta.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>

More information about the Kerberos mailing list