[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote kadmin not working on 0.7.2

To: Heimdal-discuss list <heimdal-discuss@sics.se>
Subject: Re: Remote kadmin not working on 0.7.2
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 27 Feb 2006 13:17:00 -0800
Cc: Joakim Fallsjo <fallsjo+lists@sanchin.se>
In-Reply-To: <8E6083F8-7A47-4BB2-B1FF-BEE2BE2B24F4@jpl.nasa.gov>
References: <8E6083F8-7A47-4BB2-B1FF-BEE2BE2B24F4@jpl.nasa.gov>
Sender: owner-heimdal-discuss@sics.se

Tried deleting the aes enctypes for hotz/admin and kadmin/admin.   
Same problem.

2006-02-27T12:58:24 AS-REQ hotz/admin@JPL.NASA.GOV from  
IPv4:128.149.197.37 for kadmin/admin@JPL.NASA.GOV
2006-02-27T12:58:24 Using des3-cbc-sha1/des3-cbc-sha1
2006-02-27T12:58:24 Requested flags: renewable
2006-02-27T12:58:24 sending 659 bytes to IPv4:128.149.197.37
-- and --
2006-02-27T12:58:24 krb5_recvauth: End of file
-- and --
kadmin> get hotz
hotz/admin@JPL.NASA.GOV's Password:
kadmin: get hotz: Server rejected authentication (during sendauth  
exchange)
kadmin>
---

Heimdal built with "OpenSSL 0.9.8a 11 Oct 2005".
[kadmin] and [password_quality] sections are in /etc/krb5.conf.

I can't see how it would matter, but I have AFS on the servers, but  
it's pointing at production, not the local test Heimdal servers.  I  
did have a token reject message show up in the middle of one of these  
trials when I had just gotten an invalid token as a side effect of a  
Heimdal kinit.

On Feb 27, 2006, at 10:57 AM, Henry B. Hotz wrote:

> I'm probably missing something obvious, (and probably it's  
> something I haven't thought to list here) but this isn't working:
>
> Client side:
> # /usr/heimdal/sbin/kadmin -p hotz
> kadmin> get hotz
> hotz@JPL.NASA.GOV's Password:
> kadmin: get hotz: Server rejected authentication (during sendauth  
> exchange)
> ---
> Server side kadmin.log:
> 2006-02-27T10:41:14 krb5_recvauth: End of file
> ---
> Server side kdc.log:
> 2006-02-27T10:41:14 AS-REQ hotz@JPL.NASA.GOV from  
> IPv4:128.149.197.37 for kadmin/admin@JPL.NASA.GOV
> 2006-02-27T10:41:14 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac- 
> sha1-96
> 2006-02-27T10:41:14 Requested flags: renewable
> 2006-02-27T10:41:14 sending 649 bytes to IPv4:128.149.197.37
> ---
> # kdc.conf
> [kdc]
>         database = {
>                 realm = JPL.NASA.GOV
>                 mkey_file = /nobackup/m_key
>         }
>         kdc_warn_pwexpire = 1mo
>         require-preauth = false
>         enable-kerberos4 = true
>         v4-realm = JPL.NASA.GOV
>         enable-524 = true
>         enable-http = false
>         enable-kaserver = true
>         check-ticket-addresses = false
>         allow-null-ticket-addresses = true
> ---
> # fgrep hotz kadmind.acl
> hotz@JPL.NASA.GOV       get,list
> hotz/admin@JPL.NASA.GOV all
> ---
>
> I have snoops that prove the client is talking to the test server,  
> not the production, even though they have the same realm name.  I  
> get the same result with an encrypted vice decrypted master  
> database (which caused something similar for me on 0.6.3 once).
> ---------------------------------------------------------------------- 
> ------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>

References:
- Remote kadmin not working on 0.7.2
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: Remote kadmin not working on 0.7.2
Next by Date: Re: Remote kadmin not working on 0.7.2
Prev by thread: Re: Remote kadmin not working on 0.7.2
Index(es):
- Date
- Thread