Streamlining host principal keytab provisioning?

Sebastian Galiano Sebastian.Galiano at spilgames.com
Fri May 4 04:41:13 EDT 2012


I had some problems trying to execute the commands you recommend me with the admin user. Then, I've tried to start almost all over. I've erased the  wallet database, I've  created it again. I've  added the wallet user and I've  granted the permissions. But when I execute the command:
 
$ wallet-admin initialize wallet
I get the follwing error 
  invalid admin principal wallet

this is my wallet.conf 
$DB_DRIVER = 'mysql';
$DB_NAME = 'wallet';
$DB_HOST = 'localhost';
$DB_USER = 'wallet';
$DB_PASSWORD = 'foobar';
$KEYTAB_FILE = '/etc/krb5.keytab';
$KEYTAB_HOST = 'localhost';
$KEYTAB_KRBTYPE = 'MIT';
$KEYTAB_REALM= 'REALM';
$KEYTAB_TMP  = '/tmp';
1;

It seems to me that everything is correct.


________________________________________
From: Russ Allbery [rra at stanford.edu]
Sent: 03 May 2012 18:01
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos at mit.edu
Subject: Re: Streamlining host principal keytab provisioning?

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> First I will like to add a user to the ADMIN ACL , for that purpose I
> modified the remctl.conf and substituted each line with ANYUSER for the
> path to a ACL file.

That won't help.  I'm afraid you're confusing the remctl ACLs and the
wallet ACLs.  The ADMIN ACL for wallet is stored in the database.  You
would have added one user to the ADMIN ACL when you used wallet-admin to
create the database.  That user can add other users over protocol with:

    wallet acl add ADMIN krb5 <principal>

You can also pretend to be that user and add more users directly on the
server with:

    env REMOTE_USER=<admin-user> wallet-backend acl add ADMIN krb5 <princpal>

Just leave the remctl ACLs alone.  You shouldn't ever need to change them
once you've gotten things installed.

--
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list