CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue

Damo Gets dgetsman at amirehab.net
Wed Mar 19 17:09:23 EDT 2008


I am currently attempting to set up a kerberos primary server on a
machine running CentOS4 to serve a WAN that I am working on.  I've
been using the Red Hat Enterprise Linux 4 Reference Guide (in .pdf
format) to do so.  It's served me far better than any of the other
FAQs that I've used on previous failed attempts to get kerberos
running on other systems.

I have got the servers running with seemingly nothing wrong already.
I used the example krb5.conf and kdc.conf files to create ones that
parsed with no errors.  I created a key database with no issues using
the '/usr/kerberos/sbin/kdb5_util create -s' command.  I created
kadm5.acl with appropriate administrators specified and added an
administrator account with '/usr/kerberos/sbin/kadmin.local -q
"addprinc username/admin"'.  I started the three daemons, also with no
issues with the following invocation:
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start

I then used kinit, klist, and kdestroy to verify that under my account
I could create, view, and destroy a ticket properly.

So the next step is, I get all of the client software and dependencies
installed on another machine on the network that I want to connect
from using kerberos auth.  That's all installed correctly on a Ubuntu
7.10 machine that I'm currently on.

Next is to create a host principal for my Ubuntu machine stored on the
KDC host.  THIS is where I'm running into the issue.

When I execute 'kadmin addprinc -randkey host/blah.example.com' I
receive the following error:
Authenticating as principal root/admin at andkey with password.
kadmin: Missing parameters in krb5.conf required for kadmin client
while initializing kadmin interface

I don't know what is causing this, but I have a few ideas.  First of
all, I was thinking that it might be that I didn't know what 'host'
and 'blah.example.com' were supposed to be.  So I've tried
linuxX.mydomain.net/kdc.mydomain.net, linuxX/mydomain.net, myadmin/
linuxX.mydomain.net, and every other variation that I could think of.
The documentation in section 19.6 at that point isn't as good as I'd
like it to be.  So it could be that I'm trying to invoke it wrong.

If not that, I have a few other ideas...  Second was that the host
name for the ubuntu machine will not resolve from the primary KDC.  To
get around this I added an /etc/hosts entry for my machine.  If this
doesn't work I'm ready to tackle BIND in order to get this WAN
resolving properly internally.  Third and finally was that I have just
made an error that I can't figure out in the krb5.conf, but I
transcribed straight from the example that is supposed to work out of
the box, swapping only the domains and realms to make them
applicable.  I want to get it running like this before I try any
further tweaking.

Can anybody assist me with a pointer in the right direction on this?
I would be very grateful.



More information about the Kerberos mailing list