Small addition to my previous post. I found that
# ppriv -D -e /usr/lib/krb5/kadmind -d kadmind[1708]: missing privilege "sys_devices" (euid = 0, syscall = 5) for "devpolicy" needed at spec_open+0xb2 kadmind[1708]: missing privilege "sys_devices" (euid = 0, syscall = 5) for "devpolicy" needed at spec_open+0xb2 [skip] Why kadmind needs sys_devices privilege, which is not available for non-global zones? ----- Original Message ----- From: "Alexei Korobkin" To: <security-discuss at opensolaris.org> Sent: Monday, March 19, 2007 11:46 AM Subject: kerberos - kadm5.keytab or krb5.keytab? > Dear All, > > Solaris 5.11 snv_55b x86, non-global zone kdc1, I'm trying to install > Kerberos Master KDC, using Solaris 10 Security Services (816-4557) book. > > If I want to add new principal to keytab, I do > > # /usr/sbin/kadmin.local > kadmin: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com > > And I can see that /etc/krb5/kadm5.keytab grows in size. > > But, if do not specify keytab file, like > # /usr/sbin/kadmin.local > kadmin: ktadd kadmin/kdc1.example.com > > kadm5.keytab is not changed at all, but small new krb5.keytab appears in > /etc/krb5/. > > Who makes this file and why? > In /etc/krb5/kdc.conf I have > admin_keytab = /etc/krb5/kadm5.keytab > > I searched for krb5.keytab at src.opensolaris.org and found several places > (mainly in GSS_API libs) where this file is mentioned. > > Is there an error in the GSS_API source code or I do something wrong? > > -- > With best regards, Alexey Korobkin.
