Multiple REALMS under one KDC.

Austin Gonyou austin at coremetrics.com
Mon Mar 25 15:30:01 EST 2002 

Ok the error below is generated if the keytab extraction is done
incorrectly, when using multiple realms.

If the default realm in the krb5.conf is set to a realm other than what
you're attempting to extract the key for, then your keytab for that
realm will not be setup correctly since kadmin.local will wrongly label
the keytab as being owned by whatever is in default_realm. 

This is my diagnosis of the situation, even if I'm not using the correct
terminology. Haven't tried getting around it "properly" instead I made
some configuration files, etc, and modified my kadmind init script to
loop through the list of realms that I define, and ensure that
default_realm in krb5.conf is set to the realm that I'm extracting the
keys for during the first-time startup. 

That said, now I've got another problem, and I'm not sure what the
solution is at this time, but better documented and out there than kept
to myself.

Running a kerberized OpenSSH daemon in debug -d^3 mode I get the
following for gssapi:


debug1: userauth-request for user austin service ssh-connection method
gssapi
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi
debug1: Miscellaneous failure
debug1: No principal in keytab matches desired name
Failed gssapi for austin from 10.130.101.99 port 1155 ssh2


So, from looking at this, the next-to-last line says it all, but I'm
confused as to which name it's talking about. The host or the client?

TIA.

On Fri, 2002-03-22 at 18:16, Austin Gonyou wrote:
> I get the following error when trying to start kadmind. Currently I can
> verify that the KDC is running, but no administration can happen. What
> is the following error?
> 
> #kadmind -r REALM2.DOMAIN.COM -port 901
> kadmind: Cannot set GSS-API authentication names.
> -- 
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at coremetrics.com
> 
> "It is the part of a good shepherd to shear his flock, not to skin it."
> Latin Proverb
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb

More information about the krbdev mailing list