Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock brocka at sterlingcgi.com
Wed Sep 5 16:58:10 EDT 2007


> -----Original Message-----
> Anthony Brock <brocka at sterlingcgi.com> wrote:
> > No, the entire network is on a single, private IP address range. In
> > fact, I'm trying these particular commands on the same host that
> > kadmind is running on. However, the behavior is identical from a
> > remote host.
>
> Does kpasswd work on the KDC itself for each of the realms?  If it
> doesn't work on the KDC, its not likely to work anywhere else.

kpasswd doesn't work on the KDC. It only works for the initial realm even
when the kpasswd command is issued on the KDC. That's why I'm a little
baffled as to how to proceed. I've read the following in the kadmind man
page:

kdc.conf  The  KDC  configuration file contains configuration informatin for
the KDC and the KADM5 system.   Kadmind  understands  a number of variable
settings in this file, some of whch are mandatory and  some  of which  are
optional.  See the CONFIGURATION VALUES section below.

keytab    Kadmind  requires  a  keytab   containing   correct entries  for
the  kadmin/admin and kadmin/changepw principals for every realm that
kadmind will answer requests  for.   The keytab can be created with the
kadmin(8) client.  The location of  the  keytab  is determined  by the
admin_keytab configuration variable (see CONFIGURATION VALUES).


An excerpt of these files is listed below, as well as the cross-realm krbtgt
principals I've created. I'm hoping that I have missed something obvious in
the configuration.

Tony


# klist -k FILE:/etc/krb5kdc/kadm5.keytab | egrep
'STERLINGCGI.COM|SCGROUP.ORG'
   3 kadmin/admin at SCGROUP.ORG
   3 kadmin/admin at SCGROUP.ORG
   3 kadmin/changepw at SCGROUP.ORG
   3 kadmin/changepw at SCGROUP.ORG
   3 kadmin/admin at STERLINGCGI.COM
   3 kadmin/admin at STERLINGCGI.COM
   3 kadmin/changepw at STERLINGCGI.COM
   3 kadmin/changepw at STERLINGCGI.COM

# kadmin -p brocka/admin
Authenticating as principal brocka/admin with password.
Password for brocka/admin at SCGROUP.ORG:
kadmin:  listprincs */SCGROUP.ORG@*
krbtgt/SCGROUP.ORG at SCGROUP.ORG
krbtgt/SCGROUP.ORG at STERLINGCGI.COM
kadmin:


*** BEGIN /etc/krb5kdc/kdc.conf ***
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    SCGROUP.ORG = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }
    STERLINGCGI.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }
*** END /etc/krb5kdc/kdc.conf ***

*** BEGIN /etc/krb5.conf ***
[libdefaults]
        default_realm = SCGROUP.ORG

        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        SCGROUP.ORG = {
                kdc = auth1.scgroup.org
                kdc = auth2.scgroup.org
                admin_server = auth1.scgroup.org
        }
        STERLINGCGI.COM = {
                kdc = auth1.scgroup.org
                kdc = auth2.scgroup.org
                admin_server = auth1.scgroup.org
        }

[login]
        krb4_convert = true
        krb4_get_tickets = false
*** END /etc/krb5.conf ***




More information about the Kerberos mailing list