Streamlining host principal keytab provisioning?

Sebastian Galiano Sebastian.Galiano at spilgames.com
Mon May 7 03:40:15 EDT 2012 

Ok

I managed to create the database with my Kerberos Admin User.  Then I wanted to check inside the database to see if an ADMIN for wallet was there. So I checked inside the database  the table acl_entries and I got :

mysql> select * from acl_entries;
+-------+-----------+----------------------------------+
| ae_id | ae_scheme | ae_identifier                  
+-------+-----------+----------------------------------+
|     1 | krb5      | USER at REALM |


The USER at REALM was exactly the user I used to execute the command 'wallet-admin initialize USER at REALM'.

After that I tried to create and object using :

   wallet create keytab nfs/host.domain.org

I keep on having an : wallet: Access denied and the remctl server says: 

remctld: child 6927 for 172.16.8.190
remctld: received context token (size=649)
remctld: sending context token (size=156)
remctld: accepted connection from USER at REALM (protocol 2)
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 6
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from USER at REALM: wallet create keytab nfs/host.domain.org
remctld: access denied: user  USER at REALM, command wallet create
remctld: quit received, closing connection
remctld: child 6927 done

So I believe, that I'm using the Wallet Admin user to create  new objects, but still seems that i dont have permissions to do it. 

 
From: Russ Allbery [rra at stanford.edu]
Sent: 04 May 2012 17:27
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos at mit.edu
Subject: Re: Streamlining host principal keytab provisioning?

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> I had some problems trying to execute the commands you recommend me with
> the admin user. Then, I've tried to start almost all over. I've erased
> the wallet database, I've created it again. I've added the wallet user
> and I've granted the permissions. But when I execute the command:
>
> $ wallet-admin initialize wallet
> I get the follwing error
>   invalid admin principal wallet

The argument to initialize is a Kerberos principal.  It's the initial
membership of the ADMIN ACL.  See docs/setup:

    Now, you have to create the necessary tables, indexes, and similar
    content in the database so that the wallet can start working.  Run:

        wallet-admin initialize USER

    where USER is the fully-qualified Kerberos principal of an
    administrator.  This will create the database, create an ADMIN ACL,
    and put USER in that ACL so that user can add other administrators and
    start creating objects.

--
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list