kadmin problem

scotty adams scotty.adams at yahoo.com
Tue Feb 20 07:40:03 EST 2007


Hi marcus,

My getprinc for  HTTP/scotty.SCOTTIE.COMPANY.COM at SCOTTIE.COMPANY.COM

kadmin.local:  getprinc  HTTP/scotty.SCOTTIE.COMPANY.COM at SCOTTY.COMPANY.COM
Principal: HTTP/scotty.SCOTTIE.COMPANY.COM at SCOTTIE.COMPANY.COM
Expiration date: [never]
Last password change: Sun Feb 18 10:00:03 GMT 2007
Password expiration date: [none]
Maximum ticket life: 24855 days 03:14:07
Maximum renewable life: 24855 days 03:14:07
Last modified: Sun Feb 18 10:00:03 GMT 2007 (HTTP/admin at BEIRUT.NAVLINK.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 6, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

So can you please tell me where to find whether preauth has been turned off?

Thanks,
Scotty


Marcus Watts <mdw at umich.edu> wrote: > Hi Marcus,
> 
> When i use 
> 
> 
> 
> Then try to kinit 
> it prompts incorrect password
> then i should change the password so that it works, but i guess upon changing the password
> the princ is being modified again... thus i guess that the
> -requires_preauth  isnt set anymore...
> Can you please advise me how to make this work since kdc.log is still showing Preauthentication failed
> 
> Thanks,
> Scotty

cpw should not change REQUIRES_PRE_AUTH .

When you do "getprinc", is that bit set?

If it is, you should figure out what's happening between modprinc and
the database.  modprinc should be able to turn that bit off.  If you
can't get modprinc to turn that bit off, then your copy of kadmin.local
is doing odd stuff.  It might be gdb time, if you have source to
whatever you're running.

If it's not set, and you still get "preauthentication failed" in the
log, then perhaps your kdc & your kadmin.local aren't seeing the same
database.  This would be hard to do, but not impossible; you can use
"lsof" on your running kdc & kadmin.local to see what they're each
looking at.  You might try restarting things if they're looking at
different stuff.  Another possibility is that your kinit binary is
trying to initiate preauth.  This can be best diagnosed by analyzing
the packet traffic; see previous mail for how to do that.  Otherwise
your kdc has very odd ideas about what to do with what's in the
database.  It might be gdb time, if you have source to whatever you're
running.  Knowing what's in the packet traffic will help focus your
gdb efforts; you'll want to pay particular attention to the padata
elements.

Two other things you could try:

Pick an unused principal name, do "ank -randkey 
" followed
by "cpw 
".  That should create a principal that does not
have REQUIRES_PRE_AUTH set, even if your kdc.conf requires that preauth
be turned on.

Edit ... kdc.conf and see if there are lines that read
"default_principal_flags = +preauth" or some such.  If you see these,
comment them out, stop & start all k5 services, & retry what you did.

    -Marcus Watts




 
---------------------------------
Access over 1 million songs - Yahoo! Music Unlimited.


More information about the Kerberos mailing list