Anonymous kerberos and bootstrapping new hosts - how to?

James Croall jcroall at coverity.com
Fri Sep 6 19:22:23 EDT 2013


Hi All,

I have been scratching my head on this for days.

I have set up Kerberos with PKinit, and everything works nicely. Kerberos works as expected, I can generate X509 certificates that can authenticate as a principal, all good.

What I can't figure out what to do is automatically bootstrap a keytab for a new host using anonymous Kerberos. The documentation is a bit fuzzy, and most forum posts I read on the topic suggest using custom scripts and back-channels to accomplish this.

I assume that the approach is:

  1.  kinit -n
  2.  Kadmin -n (??)
     *   Addprinc ..
     *   Xst …

I have set up the ACLs to permit the WELLKNOWN principal access to add new host principals, but for the life of me I just can't figure out how to get it done beyond that:

WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS a host/*@TRIAL.COVERITY.COM

Kadmin just won't let me in. When using the WELLKNOWN principal, it cannot find the KDC/Kadmin server:

> kinit -n
> kadmin -n @TRIAL.COVERITY.COM
Authenticating as principal WELLKNOWN/admin at WELLKNOWN:ANONYMOUS with password; anonymous requested.
kadmin: Cannot resolve network address for KDC in requested realm while initializing kadmin interface

When running kadmin under strace, it seems to be looking for the server in DNS!

Is this approach viable? Can anybody help?

Thanks,

- James


More information about the Kerberos mailing list