Will Fiveash wrote: > On Wed, Oct 07, 2009 at 02:22:48PM -0400, Kyle McDonald wrote: > >>> #pragma ident "@(#)kadm5.acl 1.2 05/06/08 SMI" >>> >>> */admin at RELENG.EGENERA.COM * >>> #kiprop/kdc0.releng.egenera.com at RELENG.EGENERA.COM >>> #kiprop/kdc1.releng.egenera.com at RELENG.EGENERA.COM >>> #kiprop/kdc2.releng.egenera.com at RELENG.EGENERA.COM >>> #kiprop/kdc3.releng.egenera.com at RELENG.EGENERA.COM >>> > > Why are the kiprop entries commented out? It should look like the > example in: > http://docs.sun.com/app/docs/doc/816-4557/faazt?l=en&a=view&q=kiprop > > Ok. I was following the instructions for manually configuring a master KDC at:
http://docs.sun.com/app/docs/doc/816-4557/setup-1?l=en&a=view Those lines are commented out because I've only gotten through step 6 there, and step 7 is the one that is failing, and the instructions haven't mentioned putting them in yet. I put them in as comments because I have already read through all the directions first, and I put in (as comments) all the info I read I would eventually need. Now I'm going back and trying do the steps one by one, and I can't get #7 to work. > Also, what do the kiprop entries in /etc/krb5/kadm5.keytab look like? > > Ah HA! I missed step 6c. on my way back through the directions. Thanks! > Basically, you should start with the doc above and go through it step by > step very, very carefully. > > As an aside, I don't think the case of the host as returned by the > hostname command should make a difference. I didn't think so either. and I just tried it again, and it doesn't. :) > Note however that the krb5 client > code is converting hostnames to lower case when it constructs a > service principal name. So, when one is creating a service principal > with a FQDN hostname, the hostname should be all lower case since the > KDC is doing an exact match when comparing the service principal name > found in the client requests and what is found in the kerberos database. > > That's what I had read in the docs, and why I had created the principals in lower case the first time. It was only when the mixed case showed up in the error message that I tried the principal in mixed case to match the error message. > Further, this mail list is for technical discussions regarding > OpenSolaris Kerberos and is not really for support issues. We will try > to help when we have time but these sorts of queries should really be > handled by Sun Sustaining. > > Oh. Ok. My apologies. Many (all?) of the other *-discuss at opensolaris.org lists (zfs-discuss, smf-discuss, cifs-discuss, xwin-discuss, etc.) field troubleshooting questions like these, so it didn't occur to me that that wasn't allowed here. Is there a good user-supported discussion list for kerberos usage and configuration questions? -Kyle
