Rodrick Brown wrote:
> i'm trying to setup kerberos with the default KRB5 that comes stock
> with Solaris 10 i'm running into the same problem over and over, no
> matter what system I use or how many times I start from scratch. I'm
> unable to get kadmind to start.
>
> Jan 08 14:02:41 icarus krb5kdc[18679](info): AS_REQ 10.0.0.13(0):
> CLIENT_NOT_FOUND: kadmin/[EMAIL PROTECTED]
> ET for krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database
> Jan 08 14:02:41 icarus krb5kdc[18679](info): DISPATCH: repeated
> (retransmitted?) request from 10.0.0.13 port
> 0, resending previous response
>
The kadmin/[EMAIL PROTECTED] should be kadmin/[EMAIL PROTECTED]
i.e. host names in Kerberos are always FQDN.
Check the hostname, and /etc/hosts to make sure the FQDN is used.
>
> Running: kinit -kt /etc/krb5/kadm5.keytab -c /tmp/krb-diag-cache.18720
> kadmin/changepw
> kinit(v5): Key table entry not found while getting initial credentials
What are you trying to do here? For the admin functions, you would normally
have a user/[EMAIL PROTECTED] principal for each administrator, and use these
for administration commands.
To get started you can use kadmin.local on the master kdc machine to administer
the database. (You have the kadmind running as a daemon?) Then you can the use
kadmin
program from other machines, if you have the user/admin principals correct in
the database.
>
> Warning: kadmind not fully configured (can not get kadmin/changepw
> service principal ticket from /etc/krb5/kadm5.keytab).
>
> Use the kadmin ktadd command to add this principal to the
> /etc/krb5/kadm5.keytab keytab:
>
> ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
> Ignore this warning if this system is not a master KDC.
> -------------------------------------------------------
>
> Warning: kadmind not fully configured (can not get kadmin/icarus.phusnikn.net
> service principal ticket from /etc/krb5/kadm5.keytab).
> Ignore this warning if this system is not a master KDC.
>
>
> --- krb5.conf ---
>
> [libdefaults]
> default_realm = PHUSNIKN.NET
>
> [realms]
> PHUSNIKN.NET = {
> kdc = icarus.phusnikn.net
> admin_server = icarus.phusnikn.net
> }
>
> [domain_realm]
> .phusnikn.net = PHUSNIKN.NET
>
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> kdc_rotate = {
> period = 1d
> versions = 10
> }
>
> [appdefaults]
> kinit = {
> renewable = true
> forwardable= true
> }
> gkadmin = {
> help_url =
> http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
> }
>
> --- kdc.conf ---
> [kdcdefaults]
> kdc_ports = 88,750
>
> [realms]
> PHUSNIKN.NET = {
> profile = /etc/krb5/krb5.conf
> database_name = /var/krb5/principal
> admin_keytab = /etc/krb5/kadm5.keytab
> acl_file = /etc/krb5/kadm5.acl
> kadmind_port = 749
> max_life = 8h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> default_principal_flags = +preauth
> sunw_dbprop_enable = true
> sunw_dbprop_master_ulogsize = 1000
> }
>
> Should I just junk SUN's implementation and use MIT's?
>
> Anyone here successfully setup kerberos on Solaris 10?
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
