Douglas E. Engert wrote: > > > Kyle McDonald wrote: >> I've made all the tweaks suggested, and all the ones that I could >> think of, and I'm still getting the same message. >> >> This is SXCE sNVb123 in case that matters. >> >> I've tried to capture all the info I think might matter below. Any >> ideas where this is going wrong? I'm following p394-398 0f the Open >> Solaris 'System Administration Guide: Security Services' Docutment. I >> can't get past the bottom of p396. >> >>> root at keymaster:/etc/krb5# >>> hostname >>> >>> >>> keymaster > > For what it is worth, Kerberos usually want the hostname command to > return > the FQDN, rather then the short name. We always install a new system from > the start using the FQDN. > > Looking at your DNS records, is kdc0 an alias for keymaster? > Maybe you should just call the machine kdc0.releng.egenera.com > and forget using keymaster or make it an alias for kdc0. > > I might end up doing that if I run into more problems (with Shawn's help, I think I've found the current problem.) But I'll point out that the docs I'm reading actually recommend a DNS CNAME for the KDC just like I have - so I wouldn't expect that to be the problem.
Thanks everyone! -Kyle > >>> root at keymaster:/etc/krb5# cat >>> /etc/nodename >>> >>> >>> keymaster >>> root at keymaster:/etc/krb5# cat >>> /etc/hostname.bge1 >>> >>> >>> keymaster-bge1 >>> root at keymaster:/etc/krb5# cat >>> /etc/hostname.e1000g0 >>> >>> >>> keymaster-e1000g0 >>> root at keymaster:/etc/krb5# cat >>> /etc/hosts >>> >>> >>> # CDDL HEADER START >>> # >>> # The contents of this file are subject to the terms of the >>> # Common Development and Distribution License (the "License"). >>> # You may not use this file except in compliance with the License. >>> # >>> # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE >>> # or http://www.opensolaris.org/os/licensing. >>> # See the License for the specific language governing permissions >>> # and limitations under the License. >>> # >>> # When distributing Covered Code, include this CDDL HEADER in each >>> # file and include the License file at usr/src/OPENSOLARIS.LICENSE. >>> # If applicable, add the following below this CDDL HEADER, with the >>> # fields enclosed by brackets "[]" replaced with your own identifying >>> # information: Portions Copyright [yyyy] [name of copyright owner] >>> # >>> # CDDL HEADER END >>> # >>> # Copyright 2006 Sun Microsystems, Inc. All rights reserved. >>> # Use is subject to license terms. >>> # >>> # ident "%Z%%M% %I% %E% SMI" >>> # >>> # Internet host table >>> # >>> ::1 localhost loghost >>> 127.0.0.1 localhost loghost >>> 172.30.171.20 keymaster keymaster.releng.egenera.com >>> keymaster-bge1 >>> 172.30.172.20 keymaster keymaster.releng.egenera.com >>> keymaster-e1000g0 >>> root at keymaster:/etc/krb5# cat >>> krb5.conf >>> >>> >>> # >>> # CDDL HEADER START >>> # >>> # The contents of this file are subject to the terms of the >>> # Common Development and Distribution License (the "License"). >>> # You may not use this file except in compliance with the License. >>> # >>> # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE >>> # or http://www.opensolaris.org/os/licensing. >>> # See the License for the specific language governing permissions >>> # and limitations under the License. >>> # >>> # When distributing Covered Code, include this CDDL HEADER in each >>> # file and include the License file at usr/src/OPENSOLARIS.LICENSE. >>> # If applicable, add the following below this CDDL HEADER, with the >>> # fields enclosed by brackets "[]" replaced with your own identifying >>> # information: Portions Copyright [yyyy] [name of copyright owner] >>> # >>> # CDDL HEADER END >>> # >>> # >>> # Copyright 2007 Sun Microsystems, Inc. All rights reserved. >>> # Use is subject to license terms. >>> # >>> # ident "@(#)krb5.conf 1.5 07/08/06 SMI" >>> # >>> >>> # krb5.conf template >>> # In order to complete this configuration file >>> # you will need to replace the __<name>__ placeholders >>> # with appropriate values for your network and uncomment the >>> # appropriate entries. >>> # >>> [libdefaults] >>> default_realm = RELENG.EGENERA.COM >>> >>> [realms] >>> RELENG.EGENERA.COM = { >>> kdc = kdc0.releng.egenera.com >>> # kdc = KDC1.RelEng.Egenera.COM >>> # kdc = KDC2.RelEng.Egenera.COM >>> # kdc = KDC3.RelEng.Egenera.COM >>> admin_server = kdc0.releng.egenera.com >>> } >>> >>> [domain_realm] >>> .releng.egenera.com = RELENG.EGENERA.COM >>> >>> [logging] >>> default = FILE:/var/krb5/kdc.log >>> kdc = FILE:/var/krb5/kdc.log >>> kdc_rotate = { >>> >>> # How often to rotate kdc.log. Logs will get rotated no more >>> # often than the period, and less often if the KDC is not used >>> # frequently. >>> >>> period = 1d >>> >>> # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, >>> ...) >>> >>> versions = 10 >>> } >>> >>> [appdefaults] >>> kinit = { >>> renewable = true >>> forwardable= true >>> } >>> gkadmin = { >>> help_url = >>> http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195 >>> } >>> root at keymaster:/etc/krb5# cat >>> kdc.conf >>> >>> >>> # >>> # CDDL HEADER START >>> # >>> # The contents of this file are subject to the terms of the >>> # Common Development and Distribution License, Version 1.0 only >>> # (the "License"). You may not use this file except in compliance >>> # with the License. >>> # >>> # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE >>> # or http://www.opensolaris.org/os/licensing. >>> # See the License for the specific language governing permissions >>> # and limitations under the License. >>> # >>> # When distributing Covered Code, include this CDDL HEADER in each >>> # file and include the License file at usr/src/OPENSOLARIS.LICENSE. >>> # If applicable, add the following below this CDDL HEADER, with the >>> # fields enclosed by brackets "[]" replaced with your own identifying >>> # information: Portions Copyright [yyyy] [name of copyright owner] >>> # >>> # CDDL HEADER END >>> # >>> # >>> # Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved. >>> # Use is subject to license terms. >>> # >>> #ident "@(#)kdc.conf 1.3 05/06/08 SMI" >>> >>> [kdcdefaults] >>> kdc_ports = 88,750 >>> >>> [realms] >>> RELENG.EGENERA.COM = { >>> profile = /etc/krb5/krb5.conf >>> database_name = /var/krb5/principal >>> admin_keytab = /etc/krb5/kadm5.keytab >>> acl_file = /etc/krb5/kadm5.acl >>> kadmind_port = 749 >>> max_life = 8h 0m 0s >>> max_renewable_life = 7d 0h 0m 0s >>> default_principal_flags = +preauth >>> sunw_dbprop_enable = true >>> sunw_dbprop_master_ulogsize = 1000 >>> } >>> root at keymaster:/etc/krb5# cat >>> kadm5.acl >>> >>> >>> # >>> # Copyright 2005 Sun Microsystems, Inc. All rights reserved. >>> # Use is subject to license terms. >>> # >>> # CDDL HEADER START >>> # >>> # The contents of this file are subject to the terms of the >>> # Common Development and Distribution License, Version 1.0 only >>> # (the "License"). You may not use this file except in compliance >>> # with the License. >>> # >>> # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE >>> # or http://www.opensolaris.org/os/licensing. >>> # See the License for the specific language governing permissions >>> # and limitations under the License. >>> # >>> # When distributing Covered Code, include this CDDL HEADER in each >>> # file and include the License file at usr/src/OPENSOLARIS.LICENSE. >>> # If applicable, add the following below this CDDL HEADER, with the >>> # fields enclosed by brackets "[]" replaced with your own identifying >>> # information: Portions Copyright [yyyy] [name of copyright owner] >>> # >>> # CDDL HEADER END >>> # >>> #pragma ident "@(#)kadm5.acl 1.2 05/06/08 SMI" >>> >>> */admin at RELENG.EGENERA.COM * >>> #kiprop/kdc0.releng.egenera.com at RELENG.EGENERA.COM >>> #kiprop/kdc1.releng.egenera.com at RELENG.EGENERA.COM >>> #kiprop/kdc2.releng.egenera.com at RELENG.EGENERA.COM >>> #kiprop/kdc3.releng.egenera.com at RELENG.EGENERA.COM >>> >>> root at keymaster:/etc/krb5# tail >>> /var/krb5/kdc.log >>> >>> >>> Oct 07 14:08:08 keymaster kadmind[963](Error): Unable to set >>> RPCSEC_GSS service name (`kiprop at kdc0.releng.egenera.com'), failing. >>> Oct 07 14:08:08 keymaster kadmind[964](info): No dictionary file >>> specified, continuing without one. >>> Oct 07 14:08:08 keymaster kadmind[965](Error): Unable to set >>> RPCSEC_GSS service name (`kiprop at kdc0.releng.egenera.com'), failing. >>> Oct 07 14:08:08 keymaster kadmind[966](info): No dictionary file >>> specified, continuing without one. >>> Oct 07 14:08:08 keymaster kadmind[967](Error): Unable to set >>> RPCSEC_GSS service name (`kiprop at kdc0.releng.egenera.com'), failing. >>> Oct 07 14:08:08 keymaster kadmind[968](info): No dictionary file >>> specified, continuing without one. >>> Oct 07 14:08:08 keymaster kadmind[969](Error): Unable to set >>> RPCSEC_GSS service name (`kiprop at kdc0.releng.egenera.com'), failing. >>> Oct 07 14:08:09 keymaster kadmind[970](info): No dictionary file >>> specified, continuing without one. >>> Oct 07 14:08:09 keymaster kadmind[971](Error): Unable to set >>> RPCSEC_GSS service name (`kiprop at kdc0.releng.egenera.com'), failing. >>> Oct 07 14:09:09 keymaster kadmin.local[978](info): No dictionary >>> file specified, continuing without one. >>> root at keymaster:/etc/krb5# dig >>> keymaster.releng.egenera.com >>> >>> >>> >>> ; <<>> DiG 9.6.1-P1 <<>> keymaster.releng.egenera.com >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 507 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6 >>> >>> ;; QUESTION SECTION: >>> ;keymaster.releng.egenera.com. IN A >>> >>> ;; ANSWER SECTION: >>> keymaster.releng.egenera.com. 600 IN A 172.30.172.20 >>> keymaster.releng.egenera.com. 600 IN A 172.30.171.20 >>> >>> ;; AUTHORITY SECTION: >>> releng.egenera.com. 600 IN NS DNS2.releng.egenera.com. >>> releng.egenera.com. 600 IN NS DNS3.releng.egenera.com. >>> releng.egenera.com. 600 IN NS DNS1.releng.egenera.com. >>> >>> ;; ADDITIONAL SECTION: >>> DNS1.releng.egenera.com. 600 IN A 172.30.172.81 >>> DNS1.releng.egenera.com. 600 IN A 172.30.171.81 >>> DNS2.releng.egenera.com. 600 IN A 172.30.172.82 >>> DNS2.releng.egenera.com. 600 IN A 172.30.171.82 >>> DNS3.releng.egenera.com. 600 IN A 172.30.172.83 >>> DNS3.releng.egenera.com. 600 IN A 172.30.171.83 >>> >>> ;; Query time: 2 msec >>> ;; SERVER: 172.30.171.81#53(172.30.171.81) >>> ;; WHEN: Wed Oct 7 14:21:33 2009 >>> ;; MSG SIZE rcvd: 231 >>> >>> root at keymaster:/etc/krb5# dig >>> kdc0.releng.egenera.com >>> >>> >>> >>> ; <<>> DiG 9.6.1-P1 <<>> kdc0.releng.egenera.com >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 314 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 6 >>> >>> ;; QUESTION SECTION: >>> ;kdc0.releng.egenera.com. IN A >>> >>> ;; ANSWER SECTION: >>> kdc0.releng.egenera.com. 600 IN CNAME >>> KeyMaster.releng.egenera.com. >>> KeyMaster.releng.egenera.com. 600 IN A 172.30.171.20 >>> KeyMaster.releng.egenera.com. 600 IN A 172.30.172.20 >>> >>> ;; AUTHORITY SECTION: >>> releng.egenera.com. 600 IN NS DNS1.releng.egenera.com. >>> releng.egenera.com. 600 IN NS DNS2.releng.egenera.com. >>> releng.egenera.com. 600 IN NS DNS3.releng.egenera.com. >>> >>> ;; ADDITIONAL SECTION: >>> DNS1.releng.egenera.com. 600 IN A 172.30.172.81 >>> DNS1.releng.egenera.com. 600 IN A 172.30.171.81 >>> DNS2.releng.egenera.com. 600 IN A 172.30.172.82 >>> DNS2.releng.egenera.com. 600 IN A 172.30.171.82 >>> DNS3.releng.egenera.com. 600 IN A 172.30.172.83 >>> DNS3.releng.egenera.com. 600 IN A 172.30.171.83 >>> >>> ;; Query time: 1 msec >>> ;; SERVER: 172.30.171.81#53(172.30.171.81) >>> ;; WHEN: Wed Oct 7 14:21:46 2009 >>> ;; MSG SIZE rcvd: 250 >>> >>> root at keymaster:/etc/krb5# >> >> _______________________________________________ >> kerberos-discuss mailing list >> kerberos-discuss at opensolaris.org >> http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss >> >> >
