wallet system

Almudena Montiel González almumontiel at gmail.com
Sat Oct 27 19:31:55 EDT 2012


I have recently deployed the wallet system for streamlining of my kerberos keytabs.
I am using both types supported: files and keytabs.
When using files, I can create them and retrieve with no problem.
But when I use the keytabs I dont get them properly. The key of the keytab is a failed value. 
This is the real keytab:
root at lxb001:/home/devops# ktutil -k /tmp/lxb003 list --keys

Vno  Type                     Principal                                Key                                                               Aliases
  2  aes256-cts-hmac-sha1-96  host/lxb003.devops.gsi.de at DEVOPS.GSI.DE  15bc0e1897a9ed4f41e6f7abf8392901edf1262d4a6d476be904d378ab2fbdf0 

And this is the keytab that I can get with wallet get keytab from the client:
root at lxb003:/home/devops# ktutil -k /etc/krb5.keytab  list --keys

Vno  Type                     Principal                                Key       Aliases
  3  aes256-cts-hmac-sha1-96  host/lxb003.devops.gsi.de at DEVOPS.GSI.DE  e5e5e5e5  

So as you can see the Key is not the same. Actually, this key: e5e5e5e5 appears in every keytab that i get from the clients.

I have already tried with the unchanging flag: wallet flag set keytab host/lxb003.devops.gsi.de at DEVOPS.GSI.DE unchanging.
As I am using Heimdal, it is all I would need to configure.

This is my wallet.conf:
root at lxb001:/home/devops/tmp# cat /etc/wallet/wallet.conf 
$DB_DRIVER = 'SQLite';
$DB_INFO = '/etc/wallet/wallet.db';

$KEYTAB_KRBTYPE         = 'Heimdal';
$KEYTAB_FILE            = '/etc/wallet/srv.wallet.keytab';
$KEYTAB_PRINCIPAL       = 'service/wallet at DEVOPS.GSI.DE';
$KEYTAB_FLAGS           = '-clearpolicy';
$KEYTAB_HOST            = 'lxb001.devops.gsi.de';
$KEYTAB_TMP             = '/var/tmp';
$KEYTAB_KADMIN          = '/usr/sbin/kadmin';

$KEYTAB_REMCTL_HOST = 'lxb001.devops.gsi.de';

$FILE_BUCKET            = '/etc/wallet/bucket';
$FILE_MAX_SIZE          = 4096;

# This is for JP's NetDB-shim, a.k.a. tenDB; see
# https://github.com/jpmens/tenDB  for details
#  $NETDB_REALM            = 'MENS.DE';
#  $NETDB_REMCTL_HOST      = 'hippo.ww.mens.de';
#       Kerberos credential-cache required for Wallet
#       to speak  to NetDB over remctl. Can be primed
#       and kept alive with k5start.
#  $NETDB_REMCTL_CACHE     = '/etc/wallet/tenDB.ccache';

sub default_owner {
  my ($type, $name) = @_;

  if ($type eq 'keytab') {
  return ('KTabs', [ 'krb5', 'service/wallet at DEVOPS.GSI.DE' ]);
  } else {

Thank you very much.

More information about the Kerberos mailing list