[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]

To: heimdal-discuss@sics.se
Subject: Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
From: Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Date: Thu, 27 Sep 2007 08:52:50 +0100
In-Reply-To: <1190808653.25715.6.camel@oreade38.ifh.de>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20070926101653.GA7903@afs.mcc.ac.uk> <1190808653.25715.6.camel@oreade38.ifh.de>
Reply-To: heimdal-discuss@sics.se, Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Sender: A O V Le Blanc <zlsiial@afs.mcc.ac.uk>
User-Agent: Mutt/1.5.12-2006-07-14

On Wed, 2007-09-26 at 11:16 +0100, Dr A V Le Blanc wrote: 
> A second problem I found
> is that kadmin no longer works remotely without adding a principal
> kadmin/admin, and that was easily done.  Then I try to do a list
> with kadmin from a remote machine.  This fails because
> 
>      kadmin> list -l zlsiial
>      admin/admin@ZZZZZZZZZZZ's Password:
>      kadmin: get zlsiial: Operation requires `get' privilege
> 
> although I have
> 
>      admin/admin all
> 
> in the kadmind.acl file on the master server.  So this is a problem.
> I tried replacing 'all' with 'get' in the kadmind.acl file, but with
> the same result.

On Wed, Sep 26, 2007 at 02:10:53PM +0200, Andreas Haupt wrote:
> Please try it like this:
> 
> admin/admin@REALM all

This does not solve the problem: it still produces the message
"Operation requires `get' privilege".  So I tried

     admin/admin@REALM get

just to see, and I got

     kadmin: get zlsiial: Operation requires `get' privilege

just as before.  Then it occurred to me; this is a Debian version,
and perhaps the path to kadmind.acl hasn't been put correctly in the
source.  So I copied the acl file to the directory in /var, and the
problem goes away.  It looks like a purely Debian problem, so I'll
report it there.

I wrote:
> Moreover, though iprop-master starts without a problem, iprop-slave
> refuses to start on the slave servers.  On the slave servers themselves
> this message appears in the auth.log:
> 
>      Sep 21 09:02:12 rj4 ipropd-slave[13298]: krb5_get_init_creds: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
> 
> and on the master server, this appears in the kdc log:
> 
>      2007-09-21T09:02:12 AS-REQ iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ from IPv4:000.00.003.00 for iprop/rj1.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
>      2007-09-21T09:02:12 Looking for PKINIT pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
>      2007-09-21T09:02:12 Looking for ENC-TS pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
>      2007-09-21T09:02:12 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ

And Andreas Haupt asked:
> Do the logs end there? If yes, it would mean the iprop slave doesn't
> react correctly on the "preauth required" statement. Are the clocks in
> sync? This also works here...

The clocks are synced using ntp, and are within a thousandth of a
second of each other, so I can't see a problem there.  My entire log
on the iprop master is this:

2007-09-27T08:46:17 AS-REQ iprop/rj4.delta.man.ac.uk@DELTA.AC.GB from IPv4:130.88.133.23 for iprop/rj1.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 sending 308 bytes to IPv4:130.88.133.23
2007-09-27T08:46:17 AS-REQ iprop/rj4.delta.man.ac.uk@DELTA.AC.GB from IPv4:130.88.133.23 for iprop/rj1.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 Client sent patypes: none
2007-09-27T08:46:17 Looking for PKINIT pa-data -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 Looking for ENC-TS pa-data -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 sending 308 bytes to IPv4:130.88.133.23
2007-09-27T08:46:17 AS-REQ iprop/rj4.delta.man.ac.uk@DELTA.AC.GB from IPv4:130.88.133.23 for iprop/rj1.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 Client sent patypes: none
2007-09-27T08:46:17 Looking for PKINIT pa-data -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 Looking for ENC-TS pa-data -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.delta.man.ac.uk@DELTA.AC.GB
2007-09-27T08:46:17 sending 308 bytes to IPv4:130.88.133.23
2007-09-27T08:48:06 Failed to verify AP-REQ: Ticket expired
2007-09-27T08:48:06 Failed parsing TGS-REQ from IPv4:130.88.133.23
2007-09-27T08:48:06 sending 81 bytes to IPv4:130.88.133.23
2007-09-27T08:48:06 Failed to verify AP-REQ: Ticket expired
2007-09-27T08:48:06 Failed parsing TGS-REQ from IPv4:130.88.133.23
2007-09-27T08:48:06 sending 81 bytes to IPv4:130.88.133.23
2007-09-27T08:48:06 Failed to verify AP-REQ: Ticket expired
2007-09-27T08:48:06 Failed parsing TGS-REQ from IPv4:130.88.133.23
2007-09-27T08:48:06 sending 81 bytes to IPv4:130.88.133.23

I don't know whether the entries at 08:48 are significant in this problem.
The message in auth.log on the iprop slave is entirely this:

Sep 27 08:46:17 rj4 ipropd-slave[27375]: krb5_get_init_creds: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

There are no messages in any other log file on the slave, so far as I
can see.  Any help would be appreciated.

     -- Owen

References:
- Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
  - From: Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
- Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
  - From: Andreas Haupt <andreas.haupt@desy.de>

Prev by Date: Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
Next by Date: Bug in kadmin
Prev by thread: Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
Next by thread: Bug in kadmin
Index(es):
- Date
- Thread