Hi, I am trying to set up Wallet for streamlining keytab distribution, following Jan-Piet's interesting and insightful blog post [1] but I am somehow stumbling early on. Using Ubuntu 12.04 and MIT Kerberos 1.10 (1.10+dfsg~beta1-2ubuntu0.3, FWIW). Wallet I built from the latest git://git.eyrie.org/kerberos/wallet.git.
I got as far as initializing the Wallet database and ACLs with an admin principal: # wallet-admin initialize daff/[email protected] I configured krb5.conf with defaults for wallet, i.e. wallet_port = = 4373 wallet_server = auth01.example.com But doing simple wallet test runs, like these daff@auth01 $ wallet -u daff get keytab test daff@auth01 $ wallet -u daff/admin get keytab test daff@other01 $ wallet -u daff get keytab test daff@other01 $ wallet -u daff/admin get keytab test all make remctld complain about a wrong principal in request, like this: remctld[29898]: connect from 10.1.7.41 (10.1.7.41) remctld[29898]: GSS-API error while accepting context: Unspecified GSS failure. Minor code may provide more information, Wrong principal in request ... remctld[29047]: connect from 10.1.7.11 (10.1.7.11) remctld[29047]: GSS-API error while accepting context: Unspecified GSS failure. Minor code may provide more information, Wrong principal in request As you can see, this happens both on the auth01 server itself and when running the wallet client on a remote server. My wallet configuration is identical to the example on [1], modulo realms and hostnames of course. I also created a service/wallet principal and gave it admin permissions in kadm5.acl, and I distributed the according keytab to the remote server as well, but it seems things fail much earlier so this all probably doesn't matter. I can't seem to get more debug info out of remctld than that, so I am at a loss. What principal does remctld expect to find here? What am I doing wrong? Thanks in advance, Andreas [1] http://jpmens.net/2012/06/25/streamlining-distribution-of-kerberos-keytabs-and-other-secure-data/
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
