Multiple REALMS under one KDC.

Austin Gonyou austin at coremetrics.com
Mon Mar 25 17:36:01 EST 2002 

Please see the next message from me, to Matt Crawford, as I have fixed
this problem. It was a hostname issue.

On Mon, 2002-03-25 at 14:29, Austin Gonyou wrote:
> Ok the error below is generated if the keytab extraction is done
> incorrectly, when using multiple realms.
> 
> If the default realm in the krb5.conf is set to a realm other than what
> you're attempting to extract the key for, then your keytab for that
> realm will not be setup correctly since kadmin.local will wrongly label
> the keytab as being owned by whatever is in default_realm. 
> 
> This is my diagnosis of the situation, even if I'm not using the correct
> terminology. Haven't tried getting around it "properly" instead I made
> some configuration files, etc, and modified my kadmind init script to
> loop through the list of realms that I define, and ensure that
> default_realm in krb5.conf is set to the realm that I'm extracting the
> keys for during the first-time startup. 
> 
> That said, now I've got another problem, and I'm not sure what the
> solution is at this time, but better documented and out there than kept
> to myself.
> 
> Running a kerberized OpenSSH daemon in debug -d^3 mode I get the
> following for gssapi:
> 
> 
> debug1: userauth-request for user austin service ssh-connection method
> gssapi
> debug1: attempt 2 failures 2
> debug2: input_userauth_request: try method gssapi
> debug1: Miscellaneous failure
> debug1: No principal in keytab matches desired name
> Failed gssapi for austin from 10.130.101.99 port 1155 ssh2
> 
> 
> So, from looking at this, the next-to-last line says it all, but I'm
> confused as to which name it's talking about. The host or the client?
> 
> TIA.
> 
> On Fri, 2002-03-22 at 18:16, Austin Gonyou wrote:
> > I get the following error when trying to start kadmind. Currently I
> can
> > verify that the KDC is running, but no administration can happen. What
> > is the following error?
> > 
> > #kadmind -r REALM2.DOMAIN.COM -port 901
> > kadmind: Cannot set GSS-API authentication names.
> > -- 
> > Austin Gonyou
> > Systems Architect, CCNA
> > Coremetrics, Inc.
> > Phone: 512-698-7250
> > email: austin at coremetrics.com
> > 
> > "It is the part of a good shepherd to shear his flock, not to skin
> it."
> > Latin Proverb
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/krbdev
> -- 
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at coremetrics.com
> 
> "It is the part of a good shepherd to shear his flock, not to skin it."
> Latin Proverb
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb

More information about the krbdev mailing list