[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1

On Fri, Sep 21, 2007 at 08:50:47AM +0200, Andreas Haupt wrote:
> I've noticed the change as well. After some reading of the Heimdal
> documentation I've found a solution that is ok for us:
> [kadmin]
>         default_keys = aes256-cts-hmac-sha1-96:pw-salt arcfour-hmac-md5:pw-salt des3-cbc-sha1:pw-salt des-cbc-crc:afs3-salt:<cell name>
> It only contains the strong v5 enc types and additionally an old v4
> (afs) one. This one is needed to make klog work.

Thanks, Andreas; that solves that problem.  A second problem I found
is that kadmin no longer works remotely without adding a principal
kadmin/admin, and that was easily done.  Then I try to do a list
with kadmin from a remote machine.  This fails because

     kadmin> list -l zlsiial
     admin/admin@ZZZZZZZZZZZ's Password:
     kadmin: get zlsiial: Operation requires `get' privilege

although I have

     admin/admin all

in the kadmind.acl file on the master server.  So this is a problem.
Moreover, though iprop-master starts without a problem, iprop-slave
refuses to start on the slave servers.  On the slave servers themselves
this message appears in the auth.log:

     Sep 21 09:02:12 rj4 ipropd-slave[13298]: krb5_get_init_creds: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

and on the master server, this appears in the kdc log:

     2007-09-21T09:02:12 AS-REQ iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ from IPv4: for iprop/rj1.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
     2007-09-21T09:02:12 Looking for PKINIT pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
     2007-09-21T09:02:12 Looking for ENC-TS pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
     2007-09-21T09:02:12 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ

This means that I cannot get iprop to work at all.

Forgive my questions, but I'm trying to update a working system and to
get a working system at the end of the process!

     -- Owen