[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1
On Fri, Sep 21, 2007 at 08:50:47AM +0200, Andreas Haupt wrote:
> I've noticed the change as well. After some reading of the Heimdal
> documentation I've found a solution that is ok for us:
> default_keys = aes256-cts-hmac-sha1-96:pw-salt arcfour-hmac-md5:pw-salt des3-cbc-sha1:pw-salt des-cbc-crc:afs3-salt:<cell name>
> It only contains the strong v5 enc types and additionally an old v4
> (afs) one. This one is needed to make klog work.
Thanks, Andreas; that solves that problem. A second problem I found
is that kadmin no longer works remotely without adding a principal
kadmin/admin, and that was easily done. Then I try to do a list
with kadmin from a remote machine. This fails because
kadmin> list -l zlsiial
kadmin: get zlsiial: Operation requires `get' privilege
although I have
in the kadmind.acl file on the master server. So this is a problem.
Moreover, though iprop-master starts without a problem, iprop-slave
refuses to start on the slave servers. On the slave servers themselves
this message appears in the auth.log:
Sep 21 09:02:12 rj4 ipropd-slave: krb5_get_init_creds: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
and on the master server, this appears in the kdc log:
2007-09-21T09:02:12 AS-REQ iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ from IPv4:000.00.003.00 for iprop/rj1.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
2007-09-21T09:02:12 Looking for PKINIT pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
2007-09-21T09:02:12 Looking for ENC-TS pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
2007-09-21T09:02:12 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
This means that I cannot get iprop to work at all.
Forgive my questions, but I'm trying to update a working system and to
get a working system at the end of the process!