On May 26, 2005 3:53 pm, eric wrote:
> Greetings,
>
> I'm trying to configure a kerberos realm on hostA. under 3.7-RELEASE.
> Using the config found below [1], this is how far I get.
>
> # kstash
> Master key: <masterkey>
> Verifying password - Master key: <masterkey>
>
> # kadmin -l
> kadmin> init EXAMPLE.NET
> Realm max ticket life [unlimited]:
> Realm max renewable ticket life [unlimited]:
> kadmin> add root
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Attributes []:
> Password: <foobar>
> Verifying password - Password: <foobar>
>
> # /usr/libexec/kdc &
> # /usr/libexec/kadmind &
> # exit
>
> Next I do...
>
> $ kinit root/admin
> root/[EMAIL PROTECTED]'s Password: <foobar>
>
> $ klist
> Credentials cache: FILE:/tmp/krb5cc_1002
> Principal: [EMAIL PROTECTED]
>
> Issued Expires Principal
> May 26 16:37:05 May 27 02:37:05 krbtgt/[EMAIL PROTECTED]
>
> So that's all fine and dandy. But....when I try to add a user...
>
You need to create ACL's before you can log on with root/admin here and add
users. The format of the acl file is here
http://www.pdc.kth.se/heimdal/heimdal.html under remote administration.
Alternativly, you can continue to admin the realm with kadmin -l untill you
have it working right.
> $ kadmin
> kadmin> add plonk
> root/[EMAIL PROTECTED]'s Password:
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> [EMAIL PROTECTED]'s Password:
> Verifying - [EMAIL PROTECTED]'s Password:
> root/[EMAIL PROTECTED]'s Password:
> kadmin: kadm5_create_principal: Client (root/[EMAIL PROTECTED]) unknown
> kadmin: adding plonk: Client not found in Kerberos database
>
> If I destroy my tickets and try and reinit, I see the following...
>
> $ kdestroy
> $ kinit root/admin
> kinit: krb5_get_init_creds: Client (root/[EMAIL PROTECTED]) unknown
>
> The kadmind logs show...
>
> 2005-05-26T16:37:05 Server not found in database:
> krbtgt/[EMAIL PROTECTED]: No such entry in the database
> 2005-05-26T16:38:02 AS-REQ root/[EMAIL PROTECTED] from
> IPv6:2001:y:x:z:202:b3ff:fe28:5216 for kadmin/[EMAIL PROTECTED]
> 2005-05-26T16:38:02 UNKNOWN -- root/[EMAIL PROTECTED]: No such entry in the
> database 2005-05-26T16:38:15 AS-REQ root/[EMAIL PROTECTED] from
> IPv6:2001::y:x:z::202:b3ff:fe28:5216 for kadmin/[EMAIL PROTECTED]
> 2005-05-26T16:45:19 AS-REQ [EMAIL PROTECTED] from
> IPv6:2001:y:x:z::202:b3ff:fe28:5216 for krbtgt/[EMAIL PROTECTED]
> 2005-05-26T16:47:35 AS-REQ root/[EMAIL PROTECTED] from
> IPv6:2001::y:x:z:202:b3ff:fe28:5216 for krbtgt/[EMAIL PROTECTED]
> 2005-05-26T16:47:35 UNKNOWN -- root/[EMAIL PROTECTED]: No such entry in the
> database
>
> That's where I'm stuck at. Do I need a krbtgt principal on the loacl
> machine? If so, how do you add that (since I seem to be running into the
> same problem as above doing so). Should I use `kadmin -l` to do so?
>
> If anyone can just give me a nudge in the right direction I'd appreciate
> it.
>
> Thanks in advance.
>
> - Eric
>
> [1] /etc/kerberosV/krb5.conf
>
> [libdefaults]
> default_realm = EXAMPLE.NET
> clockskew = 300
> # no-addresses = yes
> [realms]
> EXAMPLE.NET = {
> kdc = hostA.example.net
> admin_server = hostA.example.net
> }
> [domain_realm]
> .example.net = EXAMPLE.NET
> [kadmin]
> default_keys = v5
> [logging]
> kadmind = FILE:/var/heimdal/kadmind.log
