On 2006-06-11 04:27:25 +0200, [EMAIL PROTECTED] said: > Hello, > > I tried to install Kerberos on my small systems and have got > limited success. > > krb5kdc and kadmind are installed on an Intel Xeon box running > 65-bit Ferora core 5. Firewall is enabled on this machine, with port 88 > and 749 accepting incoming packets. DNS is also working properly. > > kdc5.conf
So, I suppose you have enabled TCP/UDP ports. > On this computer, when I use kadmin.local to add/delete/modify the > principals, everything works fine. When I use kadmin, I can pass the > authentication and run some of the commands but 'cpw' will fail. Here > is what I got: (mara is the computer) The kadmin.local is somewhat different from others, you want your users to change their passwords, and possibly use kadmin on any client just for system administration without involving a root login. > [EMAIL PROTECTED] myusr]# kinit admin/admin > Password for admin/[EMAIL PROTECTED]: <password typed> > [EMAIL PROTECTED] myusr]# klist > Ticket cache: FILE:/tmp/krb5cc_500_bYyQI13791 > Default principal: admin/[EMAIL PROTECTED] > > Valid starting Expires Service principal > 06/10/06 21:38:30 06/11/06 21:38:30 krbtgt/[EMAIL PROTECTED] > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached Good for you. > [EMAIL PROTECTED] myusr]# kadmin > Authenticating as principal admin/[EMAIL PROTECTED] with password. > Password for admin/[EMAIL PROTECTED]: <password typed> > kadmin: list_principals > K/[EMAIL PROTECTED] > admin/[EMAIL PROTECTED] > [EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > kadmin/[EMAIL PROTECTED] > krbtgt/[EMAIL PROTECTED] > kadmin: cpw myusr > Enter password for principal "myusr": > Re-enter password for principal "myusr": > change_password: Unknown code kdb5 21 while changing password for > "[EMAIL PROTECTED]". > kadmin: exit > [EMAIL PROTECTED] myusr]# Bad for you. > When I do the same list of commands (kinit, klist, kadmin - cpw) from a > remote machine, the same 'Unknown code kdb5 21' happens. > > What's more interesting is that kerberos itself is doing authentication > properly. I set up the sshd on the computer 'mara' to use kerberos, and > I can ssh into 'mara' as 'myusr' using its kerberos password. > > Can anyone give me an insight? Well, you gave us just the very beginning of the needed informations. For a complete diagnosis, post your krb5.conf kdc.conf kadm5.acl > [EMAIL PROTECTED] ~]$ kinit myusr > Password for [EMAIL PROTECTED]: > [EMAIL PROTECTED] ~]$ kpasswd > Password for [EMAIL PROTECTED]: > Enter new password: > Enter it again: > Server error: Password not changed. > Insufficient access to lock database while trying to change password. > > [EMAIL PROTECTED] ~]$ > ============================================== > > Interestingly, when I do kpasswd from a remote mache, I don't get the > 'Insufficient access' error. Instead, I got a different error: > "kpasswd: Connection timed out changing password" > > In any case, if a user cannot execute kpasswd, it's almost impractical > to use kerberos. > > I tend to believe that something is wrong with my kerberos setup. It's > strange because II followed the introduction in www.linux.com/howtos/ > Kerberos-Infrastructure-HOWTO/index.shtml Besides, I can already run > ssh with kerberos authentication. > > Any insight would be greatly appreciated. thanks in advance. Check the ACLs, and post the configuration files for your realm. -- Sensei <[EMAIL PROTECTED]> The optimist thinks this is the best of all possible worlds. The pessimist fears it is true. [J. Robert Oppenheimer] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
