Help
Brian Candler
B.Candler at pobox.com
Wed Nov 10 14:17:49 EST 2010
On Tue, Nov 09, 2010 at 04:29:05PM -0200, Paulo Oliveira wrote:
> Now I am with problem in authentication. I type kinit paulo at teste.uem and appear:
>
> Nov 09 16:16:26 paulo-laptop krb5kdc[3372](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 127.0.0.1: CLIENT_NOT_FOUND: paulo at teste.uem for krbtgt/teste.uem at teste.uem, Client not found in Kerberos database
>
>
> In my kadm5.acl file has the user such as below:
>
> */paulo at teste.uem
Firstly, it's "kinit paulo at TESTE.UEM" - note the capitals - or just
"kinit paulo", if you have the default realm set as TESTE.UEM in
/etc/krb5.conf.
Next, the file kadm5.acl is only a list of which principals are kerberos
administrators - that is, which principals have rights to add, modify or
remove other principals.
So you still have to create a principal paulo at TESTE.UEM before they can
kinit. You can do this using kadmin.local on the KDC itself, which solves
the chicken-and-egg problem of how to create your administrator principal
before you have any administrators.
Once this is done, you no longer need kadmin.local - instead use kadmin from
a remote workstation, which talks to kadmind over TCP.
More information about the Kerberos
mailing list