Re: kpasswdd configuration question

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

I have an inetd.conf entry I cribbed from NetBSD on the Solaris machine, vis:
kpasswd         dgram   udp             wait    root 
/usr/heimdal/libexec/kpasswdd   kpasswdd
(ignore line wrap)

The man page is silent on the issue, but the web page notes say 
kpasswdd is not run from inetd.  Who's right?  NetBSD, or the web 
documentation, or does it depend?

The kpasswdd man page mentions a keytab, but it's not mentioned in 
the web docs.  Does the daemon need a keytab?  If so I presume it's 
the kadmin/changepw principal that needs to go in it?  (And where's 
the keytab on NetBSD since I'm sure I never created one there.)

At 11:14 PM +0100 3/3/04, Love wrote:
>"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>
>>  I can't get a hand-installed 0.6 version to do the same thing that the
>>  built-in 0.53 in NetBSD does.
>>
>>  I'm using the Heimdal kinit and Heimdal kpasswd with a Heimdal kdc on
>>  the same test machine. kpasswd doesn't work.
>>
>>  Could someone just tell me which entries in the krb5.conf I need to
>>  inspect?  I should mention that the db was created by hprod from a
>>  kaserver db and not with a kadmin -l/init.  (I did a kadmin -l/add -r
>>  for the extra principals needed after the import.)
>
>Did the password change anyway ?

No.

>Did kpasswdd log anything ?

I thought it was supposed to log the same default place as the kdc. 
I included that log.  Was there supposed to be more?

Actually going between machines now I only get a single AS-REQ for 
the changepw principal, where I had about three exchanges before.

>What does the packet on the network look like ?

Never sniffed the traffic because I was testing on the same machine.

I only get a single port 88 exchange from snoop on the server. 
Nothing on port 464.

Also port 464 doesn't seem to respond, but lsof shows inetd listening.

>Does netbsd builtin kpasswd work agaist the kpasswdd ?

Same result going from NetBSD to Solaris/0.6 as reported earlier.

>What server did it talk to ?

Good question.  |-(

>The entry you should check for is
>
>[realms]
>        REALM = {
>               kpasswd_server = ....
>               admin_server =  ... # will be used in kadmin_server 
>entry not present
>        }

Actually have (on the netBSD machine, but the kdc has the same plus more):

>[realms]
>         JPL.NASA.GOV = {
>                 kdc = afstest01.jpl.nasa.gov
>                 admin_server = afstest01.jpl.nasa.gov
>         }
>[domain_realm]
>         .jpl.nasa.gov = JPL.NASA.GOV
>         jpl.nasa.gov = JPL.NASA.GOV

Do I need an explicit kpasswd_server entry if I have an admin_server entry?
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu