CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue

Wed Mar 19 18:02:22 EDT 2008

In regard to: CentOS attempting to set up Kerberos 5-tickets created &...:

> I started the three daemons, also with no
> issues with the following invocation:
> /sbin/service krb5kdc start
> /sbin/service kadmin start
> /sbin/service krb524 start

It's very unlikely that you will ever need krb524.  I recommend you
disable that.

> I then used kinit, klist, and kdestroy to verify that under my account
> I could create, view, and destroy a ticket properly.

Can you do the same from a separate client, once you've set up the
krb5.conf on that client to contain the necessary realms section and
possibly the default_realm?

> So the next step is, I get all of the client software and dependencies
> installed on another machine on the network that I want to connect
> from using kerberos auth.  That's all installed correctly on a Ubuntu
> 7.10 machine that I'm currently on.
>
> Next is to create a host principal for my Ubuntu machine stored on the
> KDC host.  THIS is where I'm running into the issue.
>
> When I execute 'kadmin addprinc -randkey host/blah.example.com' I
> receive the following error:
> Authenticating as principal root/admin at andkey with password.

As Ken has pointed out, you're mixing syntaxes.  You can either

 	kadmin -p username/admin -q 'addprinc -randkey host/your.clients.fqdn'

or

 	kadmin -p username/admin

and then run the rest of the command within kadmin.

> kadmin: Missing parameters in krb5.conf required for kadmin client
> while initializing kadmin interface

On your client system, what you probably want to do is something like:

 	sudo kadmin -p username/admin

(where username is whatever user account you previously created).  If
that works, your client has enough information to connect to the kadmind
that's running on your KDC.

If it works, you'll be at a prompt.  From there you can do

 	addprinc -randkey host/your.clients.fqdn

Note that the "host" is literal -- it's not to be replaced with something
else.  It's the type of principal that many of the krb5-workstation
daemons look for (ftpd being an exception).

Once that's done, you need to extract the principal into a local keytab.
You do that via ktadd, still within admin.  That's why I recommended
"sudo" in front of your kadmin auth -- you'll have permission to write
to /etc/krb5.keytab.

So, still within kadmin, you type

 	ktadd -k /etc/krb5.keytab host/your.clients.fqdn

The '-k /etc/krb5.keytab' probably isn't needed, but doesn't hurt.

Once that's done, you can exit from kadmin, and your client now has what
it needs for you to be able to run the Kerberized daemons from the
krb5-workstation package.  You should be able to do something like

 	sudo chkconfig xinetd on
 	sudo chkconfig eklogin on
 	sudo service xinetd start

If you kinit from somewhere else, you should then be able to do

 	/usr/kerberos/bin/rlogin -x your.clients.fqdn

and get in without being prompted for a password.

> If not that, I have a few other ideas...  Second was that the host
> name for the ubuntu machine will not resolve from the primary KDC.

That's a problem, but it's not what's causing your current issue.
It will definitely be an issue down the road.

>  To
> get around this I added an /etc/hosts entry for my machine.

That's enough, as long as nsswitch.conf on the KDC is right.

Tim
-- 
Tim Mooney                              mooney at dogbert.cc.ndsu.NoDak.edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164