Streamlining host principal keytab provisioning?

Russ Allbery rra at stanford.edu
Wed May 2 12:15:24 EDT 2012


Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> Ok, as you pointed I didnt had a principal for the wallet server (it is
> also the kdc server). Adding the principal solved that problem. Now to
> the same command:

> $wallet -f keytab  get keytab nfs/hostname.REALMNAME
> wallet: username at REALMNAME not authorized to create keytab:nfs/host.REALMNAME

That's an error from the wallet server, not from remctld or from Kerberos.
wallet doesn't pay any attention to the kadmin ACLs; it maintains its own
database of objects and ACLs for who can download them.  So you have to
either set up autocreation (see the Wallet::Config man page or perldoc
under "DEFAULT OWNERS"), or you need to pre-create the object as a user
listed in the ADMIN ACL.  For example:

    wallet create keytab nfs/<fqdn>
    wallet acl create user/<username> krb5 <username>@<realm>
    wallet owner keytab nfs/<fqdn> user/<username>

wallet show keytab nfs/<fqdn> will show you the existing wallet record for
that particular object.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list