Streamlining host principal keytab provisioning?

Russ Allbery rra at stanford.edu
Tue May 8 02:37:44 EDT 2012


Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> Wheny I try:
> $ wallet create keytab nfs/host.domain.org
> wallet: keytab object implementation not configured

Now we're getting somewhere.  :)

That error message means that you've not configured at least one of the
mandatory settings for the keytab object type in your
/etc/wallet/wallet.conf file.  perldoc Wallet::Config will show you the
configuration information.

The mandatory options are:

    KEYTAB_FILE
        Specifies the keytab to use to authenticate to kadmind. The
        principal whose key is stored in this keytab must have the ability
        to create, modify, inspect, and delete any principals that should be
        managed by the wallet. (In MIT Kerberos kadm5.acl parlance, this is
        "admci" privileges.)

        KEYTAB_FILE must be set to use keytab objects.

    KEYTAB_KRBTYPE
        The Kerberos KDC implementation type, either "Heimdal" or "MIT"
        (case-insensitive). KEYTAB_KRBTYPE must be set to use keytab
        objects.

    KEYTAB_PRINCIPAL
        The principal whose key is stored in KEYTAB_FILE. The wallet will
        authenticate as this principal to the kadmin service.

        KEYTAB_PRINCIPAL must be set to use keytab objects, at least until
        kadmin is smart enough to use the first principal found in the
        keytab it's using for authentication.

    KEYTAB_REALM
        Specifies the realm in which to create Kerberos principals. The
        keytab object implementation can only work in a single realm for a
        given wallet installation and the keytab object names are stored
        without realm. KEYTAB_REALM is added when talking to the KDC via
        kadmin.

        KEYTAB_REALM must be set to use keytab objects. "ktadd" doesn't
        always default to the local realm.

    KEYTAB_TMP
        A directory into which the wallet can write keytabs temporarily
        while processing "get" commands from clients. The keytabs are
        written into this directory with predictable names, so this should
        not be a system temporary directory such as /tmp or /var/tmp. It's
        best to create a directory solely for this purpose that's owned by
        the user the wallet server will run as.

        KEYTAB_TMP must be set to use keytab objects.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list