[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]


On Wed, 2007-09-26 at 11:16 +0100, Dr A V Le Blanc wrote: 
> After solving the original problem, as I reported on September 21
> to this list, thanks to Andreas Haupt, I reported some additional
> problems.  I repeat this message, since I had no response to the
> last one.
> A second problem I found
> is that kadmin no longer works remotely without adding a principal
> kadmin/admin, and that was easily done.  Then I try to do a list
> with kadmin from a remote machine.  This fails because
>      kadmin> list -l zlsiial
>      admin/admin@ZZZZZZZZZZZ's Password:
>      kadmin: get zlsiial: Operation requires `get' privilege
> although I have
>      admin/admin all
> in the kadmind.acl file on the master server.  So this is a problem.
> I tried replacing 'all' with 'get' in the kadmind.acl file, but with
> the same result.

Please try it like this:

admin/admin@REALM all

Otherwise: do you have any log files? All I can say is: it works here
(heimdal 1.0.1 on Solaris 10). It helps to add debugging info to the
logs having something like this in krb5.conf:

        kdc = 0-5/FILE:/var/log/kdc.log

> Moreover, though iprop-master starts without a problem, iprop-slave
> refuses to start on the slave servers.  On the slave servers themselves
> this message appears in the auth.log:
>      Sep 21 09:02:12 rj4 ipropd-slave[13298]: krb5_get_init_creds: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> and on the master server, this appears in the kdc log:
>      2007-09-21T09:02:12 AS-REQ iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ from IPv4: for iprop/rj1.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
>      2007-09-21T09:02:12 Looking for PKINIT pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
>      2007-09-21T09:02:12 Looking for ENC-TS pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
>      2007-09-21T09:02:12 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
> This means that I cannot get iprop to work at all.

Do the logs end there? If yes, it would mean the iprop slave doesn't
react correctly on the "preauth required" statement. Are the clocks in
sync? This also works here...

2007-09-26T13:04:04 AS-REQ iprop/brutus-vm10.ifh.de@IFH.DE from IPv4: for iprop/nyx.ifh.de@IFH.DE
2007-09-26T13:04:04 No preauth found, returning PREAUTH-REQUIRED -- iprop/brutus-vm10.ifh.de@IFH.DE
2007-09-26T13:04:04 sending 274 bytes to IPv4:
2007-09-26T13:04:04 AS-REQ iprop/brutus-vm10.ifh.de@IFH.DE from IPv4: for iprop/nyx.ifh.de@IFH.DE
2007-09-26T13:04:04 Client sent patypes: encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp
2007-09-26T13:04:04 Looking for PKINIT pa-data -- iprop/brutus-vm10.ifh.de@IFH.DE
2007-09-26T13:04:04 Looking for ENC-TS pa-data -- iprop/brutus-vm10.ifh.de@IFH.DE
2007-09-26T13:04:04 ENC-TS Pre-authentication succeeded -- iprop/brutus-vm10.ifh.de@IFH.DE using aes256-cts-hmac-sha1-96
2007-09-26T13:04:04 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
2007-09-26T13:04:04 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2007-09-26T13:04:04 AS-REQ authtime: 2007-09-26T13:04:04 starttime: unset endtime: 2007-09-26T23:04:04 renew till: unset
2007-09-26T13:04:04 sending 628 bytes to IPv4:


| Andreas Haupt             | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216