Dear will,
Mon, 19 Mar 2007 19:09:46 -0400, will young -> Alexei Korobkin:
wy> Alexei Korobkin wrote:
AK>> Hi, Darren.
AK>> kadmind somehow requires sys_devices priviledge to run in non-global zone:
AK>>
AK>> # ppriv -D -e /usr/lib/krb5/kadmind -d
AK>> kadmind[1718]: missing privilege "sys_devices" (euid = 0, syscall = 5)
[skipped]
AK>> if you have working Kerberos Master KDC in non-global zone, how did you
AK>> do that?
wy> I've not had any trouble with the defaults:
wy> # svcadm enable kadmin # ps -ef |grep kadmin
wy> root 107629 107344 0 20:02:15 pts/4 0:00 grep kadmin
wy> root 107627 100867 0 20:02:10 ? 0:00 /usr/lib/krb5/kadmind
[skipped]
wy> Did you follow the standard instructions to set up the kdc?
wy> Once the kdc is setup you will run into trouble if you try to make its
wy> udp ports MLP. At the moment you can only do TCP with multilevel
wy> ports.
wy> -Will
My previous message related to my troubles with kerberos did not get into this
discussion, because it sits and waits for moderator's approval. :)
I followed standard procedure for installing Master KDC according to the book
Solaris 10 Security Services (816-4557). Solaris 5.11 snv_55b x86 full
installation, non-global zone kdc1. At step 7, where I have to enable kadmin
and krb5kdc, I see these messages in the kdc.log:
===============
kdc1 kadmind[1423](Warning): Keytab entry "kadmin/kdc1.mrak.net" is missing
from "/etc/krb5/kadm5.keytab"
kdc1 kadmind[1423](Warning): Keytab entry "changepw/kdc1.mrak.net" is missing
from "/etc/krb5/kadm5.keytab"
kdc1 kadmind[1423](info): No dictionary file specified, continuing without one.
kdc1 kadmind[1423](Warning): Keytab entry "kiprop/kdc1.mrak.net" is missing
from "/etc/krb5/kadm5.keytab"
kdc1 kadmind[1423](Error): Unable to set RPCSEC_GSS service name (`kiprop at
kdc1.mrak.net'), failing.
===============
Principals kadmin/kdc1.mrak.net, changepw/kdc1.mrak.net, kiprop/kdc1.mrak.net
were added to kerberos keytab at previous steps. It seems that kadmin doesn't
want to read kadm5.keytab at all.
here is my kdc.conf:
=========Beginning of the citation==============
[kdcdefaults]
kdc_ports = 88,750
[realms]
MRAK.NET = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}
=========The end of the citation================
I can't see any problems with my setup, this is why I tried to debug kadmind.
Thank you for showing that kadmind works inside the zone, this inspired me to
try again.
--
With best regards, Alexei Korobkin.
This message posted from opensolaris.org
