Re: Kerberos initialisation error

Cov Thu, 21 Feb 2008 04:18:04 -0800

Okay, /etc/krb5kdc/kdc.conf had to be edited as below:

++++++++++++++++++/etc/krb5kdc/kdc.conf+++++++++++++++++++++
[kdcdefaults]
    kdc_ports = 750,88


[realms]
IQETD.LAN = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:norma$
        default_principal_flags = +preauth
    }
+++++++++++++++ end of /etc/krb5kdc/kdc.conf++++++++++++++
Also I had to run "krb5_newrealm" to initialise the KDC database.

This give the following useful tips:

++++++++++++++++++++++++++++++++++++++++++++++++++
# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm
'IQETD.LAN',
master key name 'K/[EMAIL PROTECTED]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:


Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
++++++++++++++++++++++++++++++++++++++++++++++++++
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos initialisation error

Reply via email to