Problems with kadmind, kpasswd and cross-realm authentication
Anthony Brock
brocka at sterlingcgi.com
Wed Sep 5 16:58:10 EDT 2007
> -----Original Message-----
> Anthony Brock <brocka at sterlingcgi.com> wrote:
> > No, the entire network is on a single, private IP address range. In
> > fact, I'm trying these particular commands on the same host that
> > kadmind is running on. However, the behavior is identical from a
> > remote host.
>
> Does kpasswd work on the KDC itself for each of the realms? If it
> doesn't work on the KDC, its not likely to work anywhere else.
kpasswd doesn't work on the KDC. It only works for the initial realm even
when the kpasswd command is issued on the KDC. That's why I'm a little
baffled as to how to proceed. I've read the following in the kadmind man
page:
kdc.conf The KDC configuration file contains configuration informatin for
the KDC and the KADM5 system. Kadmind understands a number of variable
settings in this file, some of whch are mandatory and some of which are
optional. See the CONFIGURATION VALUES section below.
keytab Kadmind requires a keytab containing correct entries for
the kadmin/admin and kadmin/changepw principals for every realm that
kadmind will answer requests for. The keytab can be created with the
kadmin(8) client. The location of the keytab is determined by the
admin_keytab configuration variable (see CONFIGURATION VALUES).
An excerpt of these files is listed below, as well as the cross-realm krbtgt
principals I've created. I'm hoping that I have missed something obvious in
the configuration.
Tony
# klist -k FILE:/etc/krb5kdc/kadm5.keytab | egrep
'STERLINGCGI.COM|SCGROUP.ORG'
3 kadmin/admin at SCGROUP.ORG
3 kadmin/admin at SCGROUP.ORG
3 kadmin/changepw at SCGROUP.ORG
3 kadmin/changepw at SCGROUP.ORG
3 kadmin/admin at STERLINGCGI.COM
3 kadmin/admin at STERLINGCGI.COM
3 kadmin/changepw at STERLINGCGI.COM
3 kadmin/changepw at STERLINGCGI.COM
# kadmin -p brocka/admin
Authenticating as principal brocka/admin with password.
Password for brocka/admin at SCGROUP.ORG:
kadmin: listprincs */SCGROUP.ORG@*
krbtgt/SCGROUP.ORG at SCGROUP.ORG
krbtgt/SCGROUP.ORG at STERLINGCGI.COM
kadmin:
*** BEGIN /etc/krb5kdc/kdc.conf ***
[kdcdefaults]
kdc_ports = 750,88
[realms]
SCGROUP.ORG = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
STERLINGCGI.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
*** END /etc/krb5kdc/kdc.conf ***
*** BEGIN /etc/krb5.conf ***
[libdefaults]
default_realm = SCGROUP.ORG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
SCGROUP.ORG = {
kdc = auth1.scgroup.org
kdc = auth2.scgroup.org
admin_server = auth1.scgroup.org
}
STERLINGCGI.COM = {
kdc = auth1.scgroup.org
kdc = auth2.scgroup.org
admin_server = auth1.scgroup.org
}
[login]
krb4_convert = true
krb4_get_tickets = false
*** END /etc/krb5.conf ***
More information about the Kerberos
mailing list