Re: OpenBSD and Kerberos Client

Tue, 05 Jun 2007 05:12:46 -0700 

[EMAIL PROTECTED] wrote:

-----Original Message-----

From: Janne Johansson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 05, 2007 11:09 AM
To: David Rogal
Cc: misc@openbsd.org
Subject: Re: OpenBSD and Kerberos Client

[EMAIL PROTECTED] wrote:

Hello all, I'm having a problem setting up kerberos on an OpenBSD
system. Please advise as you can.

...8<...


I then tried kadmin on krbc2, which doesn't work. It doesn't even
bother with trying to get to the admin server. It just gives me a
prompt 'kadmin>'. Perhaps that's an issue?

That is how my heimdal kadmins work, so from that you should be able

to give

kadmin commands, and if they require admin principals (which most
do) then it will ask for that password at that time, not before.

prompt# kadmin -p myname/[EMAIL PROTECTED]
kadmin> ank host/[EMAIL PROTECTED]
<asks for myname/[EMAIL PROTECTED] pw and stuff>

kadmin> ext -k /etc/kerberosV/krb5.keytab host/[EMAIL PROTECTED]

..is how I would add hostkeys to an OBSD host using kadmin.


Thanks for that! I tried it, but kadmin doesn't do anything useful. It
just hangs - doesn't even time out. Tcpdump and ktrace show that kadmin
on the OpenBSD box has a quick chat with Kerberos on the Linux box, but
kadmin doesn't like whatever it receives. I think that's because of what
Viq has to say about Heimdal and MIT Kerberos being incompatible - at
least in respect to kadmin.

I've also found some people complaining that keytabs created on a
different server than the one in which they are meant for do not work
very well. If I can't use Heimdal's kadmin to create the keytab and I
can't use one created remotely, then I simply can't use Heimdal. A
'catch 22' which makes OpenBSD unusable for us in this circumstance.

Perhaps this is an incentive for Heimdal developers to get kadmin to
work with MIT Kerberos. That would help increase its userbase.
I dont think the last part necessarily is connected to the first. Just because the administrative programs/interfaces might not be interoperable, I still think you should be able to acquire host-keys with either software. 

Might I suggest you try this from the OBSD box:
/usr/sbin/ktutil -k /etc/kerberosV/krb5.keytab get \
-p myname/[EMAIL PROTECTED] host/[EMAIL PROTECTED]

Reply via email to