[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with kpasswd



On Wed, Feb 16, 2000 at 04:44:59PM +0100, Assar Westerlund wrote:
>> The hostname is certainly in the DNS for forward and reverse lookup.
>> (It's avl.mcc.ac.uk at 130.88.201.63.)  The krb5.conf does have
>> in the realms section 'kdc = avl.mcc.ac.uk'; does it need a
>> kpasswdd entry as well?
> 
> You need a `admin_server = avl.mcc.ac.uk' in your realm part, as
> well.  If you have a cname kerberos.REALM it should also work.

OK, I now have this:

[realms]
        man.ac.uk = {
                kdc = avl.mcc.ac.uk
                admin_server = avl.mcc.ac.uk
        }

And I still have the problem:

kpasswd testname
testname@man.ac.uk's Password:
New password:
Verifying password - New password:
kpasswd: krb5_change_password: Unknown error 4294967288

Incidentally, I notice that there are in the database both
kadmin/changepw and changepw/kerberos principles, installed
by 'init' under kadmin.

As a further problem, I notice that, while 'kadmin -l' works,
kadmin attaching to kadmind does not; that is, inetd calls
kadmind successfully, but nothing seems to give me
'get privilege', so that get and list fail, and the command
'dump', though listed by 'help', doesn't work; it gives the
error message:

     kadmin> dump
     Unrecognized command: dump

(I asked about slaver servers)
>> Can I presume
>> the operation is fairly similar? [to the documented K4]
> 
> Yes, it works the same way even if the details are somewhat
> different.  You run `hprop' on the host you want to propagate from and
> `hpropd' on the receiving host.  There are options to hprop for v4 and
> ka databases.

OK, I shall try to experiment with this, and if I can get it to
work, I'll submit suggested text for the documentation.

>> Second, I have compiled with the two 'experimental' options to
>> enable-kaserver and enable-kaserver-db.  Do these work?
> 
> Basically, you just enable kaserver support with `--kaserver' or
> `enable_kaserver' in the [kdc] section in the configuration file and
> it will listen on the ka-server port and serve these requests.

Do I understand that

(1)  The krb5.conf file should include, under [realms], in the
     section for my cell, the line

          enable_kaserver = hostname?

(2)  The ka database is kept independently from the kerberos 5 one?
     I mean, because you said above that hprop has distinct ka
     options.  Or is there one database served in two modes?

(3)  You just run kdc with the right configuration on your
     AFS cell server machines, and you run it instead of kaserver?
     Or is something more complex necessary to set this up?

> Yes, but you probably want 0.2o to be running these.  There are users
> running an heimdal kdc and using klog et al to communicate with it.

Actually, I am running 0.2o.  I have upgraded my system from
glibc2.0 to glibc2.1, and had an incidental problem that the
kdc compiled against the new libraries couldn't read the old
database.  But I simply deleted the old database and ran replay_log.
Clearly it will be wise to keep a dump of the database in case
of such problems arising in the future.

Thanks for your help, and I promise to try to write some
documentation bits.

     -- Owen
     LeBlanc@mcc.ac.uk