Streamlining host principal keytab provisioning?
Sebastian Galiano
Sebastian.Galiano at spilgames.com
Tue May 8 02:52:21 EDT 2012
Ok this is my wallet.conf at the wallet client:
$KEYTABFILE= '/home/USER/krb5.test';
$KEYTAB_KRBTYPE= 'MIT';
$KEYTAB_PRINCIPAL= 'host.domain.org';
$KEYTAB_REALM= 'REALM';
$KEYTAB_TMP= '/home/USER/tmp'
1;
Now I cannot create more admin users:
$wallet acl add ADMIN krb5 host.domain.org at REALM
wallet: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Ticket expire
the remctl output is:
remctld: child 1199 for xxx.xxx.xxx.xxx
remctld: error receiving context token: unexpected end of file
remctld: child 1199 done
If I try to create a keytab:
$wallet create keytab nfs/host.domain.org
wallet: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Ticket expired
remctl output:
remctld: child 1400 for xxx.xxx.xxx.xxx
remctld: error receiving context token: unexpected end of file
remctld: child 1400 done
________________________________________
From: Russ Allbery [rra at stanford.edu]
Sent: 08 May 2012 08:37
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos at mit.edu
Subject: Re: Streamlining host principal keytab provisioning?
Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:
> Wheny I try:
> $ wallet create keytab nfs/host.domain.org
> wallet: keytab object implementation not configured
Now we're getting somewhere. :)
That error message means that you've not configured at least one of the
mandatory settings for the keytab object type in your
/etc/wallet/wallet.conf file. perldoc Wallet::Config will show you the
configuration information.
The mandatory options are:
KEYTAB_FILE
Specifies the keytab to use to authenticate to kadmind. The
principal whose key is stored in this keytab must have the ability
to create, modify, inspect, and delete any principals that should be
managed by the wallet. (In MIT Kerberos kadm5.acl parlance, this is
"admci" privileges.)
KEYTAB_FILE must be set to use keytab objects.
KEYTAB_KRBTYPE
The Kerberos KDC implementation type, either "Heimdal" or "MIT"
(case-insensitive). KEYTAB_KRBTYPE must be set to use keytab
objects.
KEYTAB_PRINCIPAL
The principal whose key is stored in KEYTAB_FILE. The wallet will
authenticate as this principal to the kadmin service.
KEYTAB_PRINCIPAL must be set to use keytab objects, at least until
kadmin is smart enough to use the first principal found in the
keytab it's using for authentication.
KEYTAB_REALM
Specifies the realm in which to create Kerberos principals. The
keytab object implementation can only work in a single realm for a
given wallet installation and the keytab object names are stored
without realm. KEYTAB_REALM is added when talking to the KDC via
kadmin.
KEYTAB_REALM must be set to use keytab objects. "ktadd" doesn't
always default to the local realm.
KEYTAB_TMP
A directory into which the wallet can write keytabs temporarily
while processing "get" commands from clients. The keytabs are
written into this directory with predictable names, so this should
not be a system temporary directory such as /tmp or /var/tmp. It's
best to create a directory solely for this purpose that's owned by
the user the wallet server will run as.
KEYTAB_TMP must be set to use keytab objects.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list