Streamlining host principal keytab provisioning?

Sebastian Galiano Sebastian.Galiano at spilgames.com
Tue May 8 02:52:21 EDT 2012


Ok this is my wallet.conf at the wallet client:


$KEYTABFILE= '/home/USER/krb5.test';
$KEYTAB_KRBTYPE= 'MIT';
$KEYTAB_PRINCIPAL= 'host.domain.org';
$KEYTAB_REALM= 'REALM';
$KEYTAB_TMP= '/home/USER/tmp'
1;

Now I cannot create  more admin users:

$wallet acl add ADMIN krb5  host.domain.org at REALM
wallet: GSS-API error initializing context: Unspecified GSS failure.  Minor code may provide more information, Ticket expire

the remctl output is:

remctld: child 1199 for xxx.xxx.xxx.xxx
remctld: error receiving context token: unexpected end of file
remctld: child 1199 done


If I try to create a keytab:
$wallet create keytab nfs/host.domain.org
wallet: GSS-API error initializing context: Unspecified GSS failure.  Minor code may provide more information, Ticket expired

remctl output:
remctld: child 1400 for xxx.xxx.xxx.xxx
remctld: error receiving context token: unexpected end of file
remctld: child 1400 done







________________________________________
From: Russ Allbery [rra at stanford.edu]
Sent: 08 May 2012 08:37
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos at mit.edu
Subject: Re: Streamlining host principal keytab provisioning?

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> Wheny I try:
> $ wallet create keytab nfs/host.domain.org
> wallet: keytab object implementation not configured

Now we're getting somewhere.  :)

That error message means that you've not configured at least one of the
mandatory settings for the keytab object type in your
/etc/wallet/wallet.conf file.  perldoc Wallet::Config will show you the
configuration information.

The mandatory options are:

    KEYTAB_FILE
        Specifies the keytab to use to authenticate to kadmind. The
        principal whose key is stored in this keytab must have the ability
        to create, modify, inspect, and delete any principals that should be
        managed by the wallet. (In MIT Kerberos kadm5.acl parlance, this is
        "admci" privileges.)

        KEYTAB_FILE must be set to use keytab objects.

    KEYTAB_KRBTYPE
        The Kerberos KDC implementation type, either "Heimdal" or "MIT"
        (case-insensitive). KEYTAB_KRBTYPE must be set to use keytab
        objects.

    KEYTAB_PRINCIPAL
        The principal whose key is stored in KEYTAB_FILE. The wallet will
        authenticate as this principal to the kadmin service.

        KEYTAB_PRINCIPAL must be set to use keytab objects, at least until
        kadmin is smart enough to use the first principal found in the
        keytab it's using for authentication.

    KEYTAB_REALM
        Specifies the realm in which to create Kerberos principals. The
        keytab object implementation can only work in a single realm for a
        given wallet installation and the keytab object names are stored
        without realm. KEYTAB_REALM is added when talking to the KDC via
        kadmin.

        KEYTAB_REALM must be set to use keytab objects. "ktadd" doesn't
        always default to the local realm.

    KEYTAB_TMP
        A directory into which the wallet can write keytabs temporarily
        while processing "get" commands from clients. The keytabs are
        written into this directory with predictable names, so this should
        not be a system temporary directory such as /tmp or /var/tmp. It's
        best to create a directory solely for this purpose that's owned by
        the user the wallet server will run as.

        KEYTAB_TMP must be set to use keytab objects.

--
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list