Streamlining host principal keytab provisioning?
Sebastian Galiano
Sebastian.Galiano at spilgames.com
Tue May 8 03:44:31 EDT 2012
Ok, from the same wallet server I executed the following command:
wallet create keytab nfs/host.domain.org -s server.domain.org
My wallet.conf is:
$DB_DRIVER = 'mysql';
$DB_NAME = 'wallet';
$DB_HOST = 'localhost';
$DB_USER = 'wallet';
$DB_PASSWORD = 'PASSWORD';
$KEYTAB_FILE = '/etc/krb5.keytab';
$KEYTAB_KRBTYPE = 'MIT';
$KEYTAB_REALM= 'REALM';
$KEYTAB_TMP = '/home/tmp';
$KEYTAB_PRINCIPAL = 'nfs/host.domain.org' ;
1;
This made the trick and I managed to create the principal in the wallet database.
I also tried from my host.domain.org. I've changed the KEYTAB_PRINCIPAL to host/host.domain.org, and it also created a principal inside the wallet database. I also tried to create more principals that are not defined in the KEYTAB_PRINCIPAL and it worked. So I still dont understand why is the KEYTAB_PRINCIPAL parameter needed since I can create any principal inside the /etc/krb5.keytab.
My next step has been to try to get they keytab for nfs/host.domain.org from host.domain.org using the command:
$wallet -f file get keytab nfs/host.domain.org
wallet: user at REALM not authorized to get keytab:nfs/host.domain.org
remctld output:
remctld: child 4532 for xxxx
remctld: received context token (size=649)
remctld: sending context token (size=156)
remctld: accepted connection from user at REALM (protocol 2)
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 5
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from user at REALM: wallet check keytab nfs/host.domain.org
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 3
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from user at REALM: wallet get keytab nfs/host.domain.org
remctld: quit received, closing connection
remctld: child 4532 done
________________________________________
From: Russ Allbery [rra at stanford.edu]
Sent: 08 May 2012 09:16
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos at mit.edu
Subject: Re: Streamlining host principal keytab provisioning?
Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:
> Ok, I missunderstood with the KEYTAB_PRINCIPAL parameter, now I've
> changed for user at REALM which is the principal I gave permissions to.
It needs to be the principal for which you created a keytab that's stored
wherever $KEYTAB_FILE is pointing to.
> Just in case i renewed the ticket of user at realm and then:
> $wallet create keytab nfs/host.domain.org
> wallet: keytab object implementation not configured
Okay, you're back to remctl working again.
if (not $Wallet::Config::KEYTAB_KRBTYPE) {
die "keytab object implementation not configured\n";
unless (defined ($Wallet::Config::KEYTAB_PRINCIPAL)
and defined ($Wallet::Config::KEYTAB_FILE)
and defined ($Wallet::Config::KEYTAB_REALM)) {
die "keytab object implementation not configured\n";
One of those variables isn't actually set or isn't being loaded or
something.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list