Kerberos V5 on Ubuntu 7.10 server
Damon Getsman
dgetsman at amirehab.net
Wed Mar 26 15:52:49 EDT 2008
Last week and this Monday I was working on finalizing a KerberosV5 setup
with the primary server/KDC on a CentOS4.0 machine, utilizing Ubuntu 7.10 on
a different station as a test client. Unfortunately, as I was fixing a few
problems in my KDC's keytab which should have had my systems running without
problem, the CentOS station crashed I ended up losing all of the
configuration that I had wrestled with for that time.
I decided to do everything on my Ubuntu workstation as a result. I'm
keeping Ubuntu as the server and I'll probably make a VMWare machine on the
same physical computer to test client applications from once I've got the
server configuration working properly.
However I have run into the following problems: first of all, the Ubuntu
rpms are not named the same as in the guide that took me fairly easily
through installation and configuration last time (a RedHat pdf manual with
Chapter 19 dedicated to Kerberos-- unfortunately I don't have the exact name
available, that was lost in the crash). Previously I knew that I needed the
'krb5-libs', 'krb5-server', and 'krb5-workstation' packages installed on my
server for the appropriate utilities. I installed the Ubuntu ones which I
believe correspond to these, and the appropriate utilities don't seem to be
missing, so I think this is not such a problem as an inconvenience which I
have worked around.
Also the installation problems are in completely different areas than the
manuals I'm using are talking about. IE krb5.conf is in /etc, but kdc.conf,
instead of being in /var/kerberos/krb5/kdc/ is in /etc/krb5kdc. Also the
/var/kerberos/krb5kdc files are in /var/lib/krb5kdc. I assumed that the
installed binaries and their associated config files would be pointing them
in the right directions for these changes, but I've had to manually change
one of them so far, so I know it's not perfect. Not sure if this is part of
my problem or not.
I had to generate the kadm5.keytab file by hand, which I did not have to do
last time; this struck me as odd and probably indicative of a larger
problem. I found the following solution in a usenet thread (modified for my
system's appropriate locations, of course): kadmin.local: ktadd -k
/usr/local/var/krb5kdc/kadm5.keytab kadmin/admin
Using Ubuntu's krb5_newrealm utility I assume that I proceeded to the step
just beyond using kdb5_util with 'create -s' to make a database for the
realm. I verified, also, that the krb5.conf and kdc.conf files were
appropriately defining the realm, although there was a lot of crap in there
above and beyond the EXAMPLE.COM example configurations that I easily
modified and had working before.
Now I've created a dgetsman/admin principal, but when I try to start kadmin
through Ubuntu's /etc/init.d/krb5-admin-server, I get the following message:
kadmind: Cannot set GSS-API authentication names.
Obviously I can't use kadmin at this point.
I'm pretty much lost in what is wrong with this. I was starting to
understand how the other system was working but the completely new
configuration has me struggling to know which way is up. Can anybody
suggest a good Ubuntu howto for kerberos and/or any other documentation that
might be able to walk me through configuration on a Ubuntu server? I've
lost a week and a half of work and this is really killing me. I'd be more
than happy with suggestions on how to get my existing configuration to work,
also, I just don't know what applicable parts I should show here.
Thanks for the time & help.
-Damon Getsman
More information about the Kerberos
mailing list