Re: kadmin problem

Mon, 26 Feb 2007 14:29:48 -0800 

RJ45 wrote:

when I try to connect to kadmin remote server (MIT)
from openbsd SSH login gateway, the application hangs:

kadmin> add --random-key host/myhost.mydomain
administrator/[EMAIL PROTECTED]'s Password:


it hangs...

I tryed to dobthis because I can;t logon using SSH
I have this error:

Feb 26 21:42:54 myhost krb5: verify: Server not found in Kerberos database


so I tryed to register the OpenBSD krb5 client host
to krb5 server usign kadmin but as I Said it hangs...

what I have to do ?

thanks

Rick
a bit more info could help here! it looks as if you're unable to contact the kdc probably because of either a missing krb5.conf or some DNS-related issues. 

- what are you actually trying to do?
        login to remote-host using ssh-gssapi authentication?
        setting up krb for some other app e.g. openafs?
- what is your setup?
        krb5.conf
        do you have a keytab already set up?
        are you in the same NW - i.e. no NAT hiding in the way?
- can you do a kinit succussfully?
- what is in your credentials cache afterwards?
        klist -v
e.g. in my heimdal config, i would launch kadmin as follows, assuming a compatible krb5.conf: 

kadmin -p admin/krb -r MUSE.NET.NZ
i could add -a <krbserver> if my krb5.conf or DNS doesn't allow kadmin to identify it indirectly
if you just want to krb-ssh to a remote host, then you don't need to set up a keytab on the client side - just a krb5.conf should be enough.
but if you need to add a new host (i.e. one supporting a krb-dependent service such as ktelnet or whatever) then you need: 

## use same /etc/kerberosV/krb5.conf
sudo kadmin -p admin/[EMAIL PROTECTED]
        add --random-key host/newhost.muse.net.nz
        ext --keytab=/etc/kerberosV/krb5.keytab host/newhost.muse.net.nz
        exit
chmod 0400 /etc/kerberosV/krb5.keytab

& that works just fine.
kerberised ssh is possible if you enable it in the ssh_config (client side) and sshd_config (server side). the options you need to change (from memory!) are on sshd_config: 

# Kerberos options
#KerberosAuthentication no
KerberosAuthentication ywa
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

& for ssh_config:

#   GSSAPIAuthentication no
GSSAPIAuthentication yes
#   GSSAPIDelegateCredentials no
GSSAPIDelegateCredentials yes

a+
scorch

Reply via email to