On Wed, Oct 07, 2009 at 02:22:48PM -0400, Kyle McDonald wrote: > I've made all the tweaks suggested, and all the ones that I could think of, > and I'm still getting the same message. > > This is SXCE sNVb123 in case that matters. > > I've tried to capture all the info I think might matter below. Any ideas > where this is going wrong? I'm following p394-398 0f the Open Solaris > 'System Administration Guide: Security Services' Docutment. I can't get past > the bottom of p396. > > > root at keymaster:/etc/krb5# hostname > > > > > > keymaster > > root at keymaster:/etc/krb5# cat /etc/nodename > > > > > > keymaster > > root at keymaster:/etc/krb5# cat /etc/hostname.bge1 > > > > > > keymaster-bge1 > > root at keymaster:/etc/krb5# cat /etc/hostname.e1000g0 > > > > > > keymaster-e1000g0 > > root at keymaster:/etc/krb5# cat /etc/hosts > > > > # > > CDDL HEADER START > > # > > # The contents of this file are subject to the terms of the > > # Common Development and Distribution License (the "License"). > > # You may not use this file except in compliance with the License. > > # > > # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE > > # or http://www.opensolaris.org/os/licensing. > > # See the License for the specific language governing permissions > > # and limitations under the License. > > # > > # When distributing Covered Code, include this CDDL HEADER in each > > # file and include the License file at usr/src/OPENSOLARIS.LICENSE. > > # If applicable, add the following below this CDDL HEADER, with the > > # fields enclosed by brackets "[]" replaced with your own identifying > > # information: Portions Copyright [yyyy] [name of copyright owner] > > # > > # CDDL HEADER END > > # > > # Copyright 2006 Sun Microsystems, Inc. All rights reserved. > > # Use is subject to license terms. > > # > > # ident "%Z%%M% %I% %E% SMI" > > # > > # Internet host table > > # > > ::1 localhost loghost > > 127.0.0.1 localhost loghost > > 172.30.171.20 keymaster keymaster.releng.egenera.com > > keymaster-bge1 > > 172.30.172.20 keymaster keymaster.releng.egenera.com > > keymaster-e1000g0 > > root at keymaster:/etc/krb5# cat krb5.conf > > > > # > > # CDDL HEADER START > > # > > # The contents of this file are subject to the terms of the > > # Common Development and Distribution License (the "License"). > > # You may not use this file except in compliance with the License. > > # > > # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE > > # or http://www.opensolaris.org/os/licensing. > > # See the License for the specific language governing permissions > > # and limitations under the License. > > # > > # When distributing Covered Code, include this CDDL HEADER in each > > # file and include the License file at usr/src/OPENSOLARIS.LICENSE. > > # If applicable, add the following below this CDDL HEADER, with the > > # fields enclosed by brackets "[]" replaced with your own identifying > > # information: Portions Copyright [yyyy] [name of copyright owner] > > # > > # CDDL HEADER END > > # > > # > > # Copyright 2007 Sun Microsystems, Inc. All rights reserved. > > # Use is subject to license terms. > > # > > # ident "@(#)krb5.conf 1.5 07/08/06 SMI" > > # > > > > # krb5.conf template > > # In order to complete this configuration file > > # you will need to replace the __<name>__ placeholders > > # with appropriate values for your network and uncomment the > > # appropriate entries. > > # > > [libdefaults] > > default_realm = RELENG.EGENERA.COM > > > > [realms] > > RELENG.EGENERA.COM = { > > kdc = kdc0.releng.egenera.com > > # kdc = KDC1.RelEng.Egenera.COM > > # kdc = KDC2.RelEng.Egenera.COM > > # kdc = KDC3.RelEng.Egenera.COM > > admin_server = kdc0.releng.egenera.com > > } > > > > [domain_realm] > > .releng.egenera.com = RELENG.EGENERA.COM > > > > [logging] > > default = FILE:/var/krb5/kdc.log > > kdc = FILE:/var/krb5/kdc.log > > kdc_rotate = { > > > > # How often to rotate kdc.log. Logs will get rotated no more > > # often than the period, and less often if the KDC is not used > > # frequently. > > > > period = 1d > > > > # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) > > > > versions = 10 > > } > > > > [appdefaults] > > kinit = { > > renewable = true > > forwardable= true > > } > > gkadmin = { > > help_url = > > http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195 > > } > > root at keymaster:/etc/krb5# cat kdc.conf > > > > # > > # CDDL HEADER START > > # > > # The contents of this file are subject to the terms of the > > # Common Development and Distribution License, Version 1.0 only > > # (the "License"). You may not use this file except in compliance > > # with the License. > > # > > # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE > > # or http://www.opensolaris.org/os/licensing. > > # See the License for the specific language governing permissions > > # and limitations under the License. > > # > > # When distributing Covered Code, include this CDDL HEADER in each > > # file and include the License file at usr/src/OPENSOLARIS.LICENSE. > > # If applicable, add the following below this CDDL HEADER, with the > > # fields enclosed by brackets "[]" replaced with your own identifying > > # information: Portions Copyright [yyyy] [name of copyright owner] > > # > > # CDDL HEADER END > > # > > # > > # Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved. > > # Use is subject to license terms. > > # > > #ident "@(#)kdc.conf 1.3 05/06/08 SMI" > > > > [kdcdefaults] > > kdc_ports = 88,750 > > > > [realms] > > RELENG.EGENERA.COM = { > > profile = /etc/krb5/krb5.conf > > database_name = /var/krb5/principal > > admin_keytab = /etc/krb5/kadm5.keytab > > acl_file = /etc/krb5/kadm5.acl > > kadmind_port = 749 > > max_life = 8h 0m 0s > > max_renewable_life = 7d 0h 0m 0s > > default_principal_flags = +preauth > > sunw_dbprop_enable = true > > sunw_dbprop_master_ulogsize = 1000 > > } > > root at keymaster:/etc/krb5# cat kadm5.acl > > > > # > > # Copyright 2005 Sun Microsystems, Inc. All rights reserved. > > # Use is subject to license terms. > > # > > # CDDL HEADER START > > # > > # The contents of this file are subject to the terms of the > > # Common Development and Distribution License, Version 1.0 only > > # (the "License"). You may not use this file except in compliance > > # with the License. > > # > > # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE > > # or http://www.opensolaris.org/os/licensing. > > # See the License for the specific language governing permissions > > # and limitations under the License. > > # > > # When distributing Covered Code, include this CDDL HEADER in each > > # file and include the License file at usr/src/OPENSOLARIS.LICENSE. > > # If applicable, add the following below this CDDL HEADER, with the > > # fields enclosed by brackets "[]" replaced with your own identifying > > # information: Portions Copyright [yyyy] [name of copyright owner] > > # > > # CDDL HEADER END > > # > > #pragma ident "@(#)kadm5.acl 1.2 05/06/08 SMI" > > > > */admin at RELENG.EGENERA.COM * > > #kiprop/kdc0.releng.egenera.com at RELENG.EGENERA.COM > > #kiprop/kdc1.releng.egenera.com at RELENG.EGENERA.COM > > #kiprop/kdc2.releng.egenera.com at RELENG.EGENERA.COM > > #kiprop/kdc3.releng.egenera.com at RELENG.EGENERA.COM
Why are the kiprop entries commented out? It should look like the example in: http://docs.sun.com/app/docs/doc/816-4557/faazt?l=en&a=view&q=kiprop Also, what do the kiprop entries in /etc/krb5/kadm5.keytab look like? Basically, you should start with the doc above and go through it step by step very, very carefully. As an aside, I don't think the case of the host as returned by the hostname command should make a difference. Note however that the krb5 client code is converting hostnames to lower case when it constructs a service principal name. So, when one is creating a service principal with a FQDN hostname, the hostname should be all lower case since the KDC is doing an exact match when comparing the service principal name found in the client requests and what is found in the kerberos database. Further, this mail list is for technical discussions regarding OpenSolaris Kerberos and is not really for support issues. We will try to help when we have time but these sorts of queries should really be handled by Sun Sustaining. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA