On Wed, Aug 25, 2004 at 02:38:05PM -0400, Ahluwalia, Ish wrote: > Hi Wyllys: > > Thanks very much for the response. Below please find my response. Thanks in > advance for the help. > > >>>>>>>>>>>>>>>>>>>You wrote<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > It sounds like your server process does not have access to its credentials. > Is the server running with permissions to read the keytab file that > contains its keys? > If you are using a standard service like "host/foo.bar.com", then its > probably in the > system keytab (/etc/krb5/krb5.keytab) and your process will need root > privilege to read > that file. > > If your service principal keys are not in a keytab, they should be added > using kadmin. > > kadmin > ktadd host/foo.bar.com > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >
> Yes, I'm planning to be a service(running on application server > different from KDC) with "service/<FQDN>@REALM" name. It is our own > service, nothing like telnet or ftp. Notheless, clients have to > authenticate with KDC and then they communicate with my service which > handles all the AP-REQ and AP-REP. I thinnk, you are right that I > don't have a keytab entry. Infact, I searched the whole system and > didn't even find a file called "krb5.keytab". Is it supposed to be > there by default or does it gets created as part of "ktadd" command? The /etc/krb5/krb5.keytab file is typically created by the kadmin ktadd command. > Also, there is a bit of an issue - I'm not using SUN Solaris > distribution KDC. It is some other company which does not have > interface for KADMIN command, which I'm assuming communicates with > KADMIND process running on KDC and creates the service entries. > Assuming if I figure out how to add a service on the KDC with a shared > key (which needs be the same key at application server), is there a > way to create a key tab entry on my service host without using kadmin? You'll have to ask your KDC vendor that question. It sounds like you'll have to produce a Solaris Kerberos (based on MIT) compatible keytab file on the KDC system and then copy it (securely) on to the Solaris system as /etc/krb5/krb5.keytab. You can test it by doing a: kinit -k <service princ> to make sure kinit can get a cred based on the keytab entry. > KADMIN fails for me since the there is no KADMIND running anywhere on > my KDC(it doesn't support it). Is there a way to create a keytab file > and other stuff that I may need to have a successful generation of > TGS's with my service's master key which is also on the KDC. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
