Streamlining host principal keytab provisioning?

Sebastian Galiano Sebastian.Galiano at spilgames.com
Wed May 2 04:27:11 EDT 2012 

Ok, as you pointed I didnt had a principal for the wallet server (it is also the kdc server). Adding the principal solved that problem. Now  to the same command:

$wallet -f keytab  get keytab nfs/hostname.REALMNAME
wallet: username at REALMNAME not authorized to create keytab:nfs/host.REALMNAME

The remctld server says: 

remctld: child 21836 for 172.16.8.190
remctld: received context token (size=649)
remctld: sending context token (size=156)
remctld: accepted connection from username at REALMNAME (protocol 2)
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 5
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from username at REALMNAME: wallet check keytab nfs/host.REALMNAME
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 10
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from username at REALMNAME: wallet autocreate keytab nfs/host.REALMNAME
remctld: error receiving token: unexpected end of file
remctld: child 21836 done

I checked my user permission by login into the kadmin as the user and execute get_privs:
current privileges: GET ADD MODIFY DELETE

So I this user should have all the privileges, how is it that it is not authorized? Does it have anything to do with wallet ACL?



________________________________________
From: Russ Allbery [rra at stanford.edu]
Sent: 02 May 2012 00:47
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos at mit.edu
Subject: Re: Streamlining host principal keytab provisioning?

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> Slowly I managing to make some steps forward! :)...Now i got the remctld
> running,and i added the wallet configuration into the krb5.conf (client
> side). But when try to get a ticket I get the following error:

> $wallet -f keytab  get keytab nfs/hostname.REALMNAME
> wallet: GSS-API error initializing context: Unspecified GSS failure.  Minor code may provide more information, Cannot contact any KDC for requested realm

This error message indicates that things are going wrong at the remctl
level.  wallet is trying to get credentials for the wallet server, and
when doing so, it can't reach the KDC for the realm that it thinks the
wallet server is in.

This probably means that your domain_realm mapping for the wallet server
isn't correct, but may mean that you have problems reaching the KDC for
other reasons.

The default principal to which the wallet client will try to authenticate
is host/<hostname> where <hostname> is whatever you configured the wallet
server to be (--with-wallet-server on wallet's configure command or
configured in your krb5.conf file).  You can try to get tickets for that
directly and duplicate the error with:

    kvno host/<hostname>
    kgetcred host/<hostname>

depending on what set of Kerberos tools you have installed.  (The first is
MIT; the second, Heimdal).

--
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list