[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

=?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20=BB=D8=B8=B4=A3=BA=20Re:=20kerberos?==?gb2312?q?=20setup,=20basic=20questions?=



Hi,Harald. Thanks for your advice and it helped me
much more.

I think there are serveral problems in my deploying
heimdal. So maybe i should post my deploying heimdal
in details.

My environment: there are 2 vmware pc, one works as
kdc and server(heimdal's telnetd) named
kerberosKDC(192.168.0.30) and another works as client
named kerberosC(192.168.0.3). Both vm pc has FC8 as
OS. The heimdal version is 1.1.

1. Both kerberosKDC and kerberosC share the same
/etc/krb5.conf like this:

[root@kerberosC ~]# more /etc/krb5.conf
[libdefaults]
        default_realm = WEDGIE.ORG

[realms]
        WEDGIE.ORG = {
                kdc = 192.168.0.30
                admin_server = 192.168.0.30
        }

[domain_realm]
        .wedgie.org = WEDGIE.ORG


2. on kerberosKDC, initialized as following:

[root@kerberosKDC sbin]# ./kstash
Master key: 
Verifying - Master key: 
kstash: writing key to `/var/heimdal/m-key'

[root@kerberosKDC sbin]# ./kadmin -l
kadmin> init WEDGIE.ORG
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:

kadmin> list *
default
kadmin/admin
kadmin/hprop
kadmin/changepw
krbtgt/WEDGIE.ORG
changepw/kerberos

kadmin> add jdoe/admin@WEDGIE.ORG
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
jdoe/admin@WEDGIE.ORG's Password: 
Verifying - jdoe/admin@WEDGIE.ORG's Password: 


3. start the kdc on kerberosKDC, and the heimdal's
telnetd has already started by xinetd.

[root@kerberosKDC sbin]# /usr/heimdal/libexec/kdc &
[1] 3091


4. kerberosC get TGT:

[root@kerberosC ~]# /usr/heimdal/bin/kinit jdoe/admin
jdoe/admin@WEDGIE.ORG's Password: 
[root@kerberosC ~]# /usr/heimdal/bin/klist 
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: jdoe/admin@WEDGIE.ORG

  Issued           Expires          Principal
Jul  2 18:20:01  Jul  3 04:19:21 
krbtgt/WEDGIE.ORG@WEDGIE.ORG


5. create a principal and makes krb5.keytab on
kerberosKDC
kadmin> add -r host/kerberosKDC.WEDGIE.ORG
kadmin: connect(192.168.0.30): Connection refused
kadmin: failed to contact 192.168.0.30
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin: connect(192.168.0.30): Connection refused
kadmin: failed to contact 192.168.0.30
kadmin: kadm5_create_principal: Operation failed for
unspecified reason
kadmin: adding host/kerberosKDC.WEDGIE.ORG: Operation
failed for unspecified reason


The message "connect(192.168.0.30): Connection
refused" may be because "host name resolving" as you
pointed. But my /etc/hosts are as following:
kerberosKDC:
[root@kerberosKDC sbin]# more /etc/hosts
# Do not remove the following line, or various
programs
# that require network functionality will fail.
127.0.0.1       localhost       loopback
::1     localhost6.localdomain6 localhost6
192.168.0.30    kerberosKDC     kerberosKDC
192.168.0.3     kerberosC       kerberosC

kerberosC:
[root@kerberosC ~]# more /etc/hosts
# Do not remove the following line, or various
programs
# that require network functionality will fail.
127.0.0.1       localhost       loopback
::1     localhost6.localdomain6 localhost6
192.168.0.3     kerberosC       kerberosC
192.168.0.30    kerberosKDC     kerberosKDC

My question is:
(1).I think it can resolve the IP address in both
directions.
I am confused here and would someone kindly explain
this to me.

(2).the process I deploy heimdal is all right here?

Thanks in advance!!

WangYue
 
--- Harald Barth <haba@kth.se>д:

> 
> > 1. Does this "host" is the hostname of service PC?
> And
> > do I have to use hostname instead of the service
> PC's
> > IP address??
> 
> The principal consits of 3 parts:
> 
> <Name> / <Instance> @ <Realm> (spaces inserted for
> readability)
> 
> For users <Name> obiously is the username,
> <Instance> is empty and
> <Realm> is your Realm (obviously). Sometimes the
> <Instance> is used
> for administrative accounts.
> 
> Example:
> 
> haba@KTH.SE
> haba/admin@KTH.SE
> 
> For services (like telnet, rsh, ftp, nfs, afs) the
> <Name> is the service
> name. telnet and rsh and ssh share the name "host"
> because a host
> ist identified by it. <Instance> is the name of the
> host and <Realm>
> again is as ususal.
> 
> Fictional examples:
> 
> host/loginserver.kth.se@KTH.SE
> host/belgarath.lfs.org@LFS.ORG
> afs/kth.se@KTH.SE
> 
> The confusing part is that all commands accept
> principals in short forms
> where the "obvious" (default) parts are ommitted.
> 
> Example: 
> 
> kinit haba 
> 
> which means <Name> is haba, <Instance> is empty and
> <Realm> is default
> (KTH.SE in my case).
> 
> 
> > 2. If my hostname is kerberosA, the kerberosized
> > service program is heimdal's telnetd, and my
> krb5.conf
> > is following:
> > 
> > [libdefaults]
> >         default_realm = WEDGIE.ORG
> > 
> > [realms]
> >         WEDGIE.ORG = {
> >                 kdc = 192.168.0.30
> >                 admin_server = 192.168.0.30
> >         }
> > 
> > [domain_realm]
> >         .wedgie.org = WEDGIE.ORG
> > 
> > the "host" should be kerberosA  or admin_server?
> > so will I input
> > kadmin>add -r kerberosA/WEDGIE.ORG
> > or the
> > kadmin>add -r admin_server/WEDGIE.ORG
> 
> You need one for each host you want to login to.
> 
> It should be <Name>/<Instance>@<Realm> which in your
> case
> 
> probably is 
> 
> host/kerberosA.your.domain@WEDGIE.ORG 
> host/kerberosB.your.domain@WEDGIE.ORG 
> host/kerberosC.your.domain@WEDGIE.ORG 
> 
> or something like that
> 
> The Instance part must match what the IP address of
> the host resolves
> to. For Kerberos to work, you must have a working
> setup of host name
> resolving in both directions.
> 
> You said " kadmin>add -r ....", but it is easier to
> use ktutil get on
> each of your hosts. It creates the principal in the
> KDC and makes the
> corresponding /etc/krb5.keytab on the host.
> 
> Harald.
> 

--- Harald Barth <haba@kth.se>д:

> 
> > 1. Does this "host" is the hostname of service PC?
> And
> > do I have to use hostname instead of the service
> PC's
> > IP address??
> 
> The principal consits of 3 parts:
> 
> <Name> / <Instance> @ <Realm> (spaces inserted for
> readability)
> 
> For users <Name> obiously is the username,
> <Instance> is empty and
> <Realm> is your Realm (obviously). Sometimes the
> <Instance> is used
> for administrative accounts.
> 
> Example:
> 
> haba@KTH.SE
> haba/admin@KTH.SE
> 
> For services (like telnet, rsh, ftp, nfs, afs) the
> <Name> is the service
> name. telnet and rsh and ssh share the name "host"
> because a host
> ist identified by it. <Instance> is the name of the
> host and <Realm>
> again is as ususal.
> 
> Fictional examples:
> 
> host/loginserver.kth.se@KTH.SE
> host/belgarath.lfs.org@LFS.ORG
> afs/kth.se@KTH.SE
> 
> The confusing part is that all commands accept
> principals in short forms
> where the "obvious" (default) parts are ommitted.
> 
> Example: 
> 
> kinit haba 
> 
> which means <Name> is haba, <Instance> is empty and
> <Realm> is default
> (KTH.SE in my case).
> 
> 
> > 2. If my hostname is kerberosA, the kerberosized
> > service program is heimdal's telnetd, and my
> krb5.conf
> > is following:
> > 
> > [libdefaults]
> >         default_realm = WEDGIE.ORG
> > 
> > [realms]
> >         WEDGIE.ORG = {
> >                 kdc = 192.168.0.30
> >                 admin_server = 192.168.0.30
> >         }
> > 
> > [domain_realm]
> >         .wedgie.org = WEDGIE.ORG
> > 
> > the "host" should be kerberosA  or admin_server?
> > so will I input
> > kadmin>add -r kerberosA/WEDGIE.ORG
> > or the
> > kadmin>add -r admin_server/WEDGIE.ORG
> 
> You need one for each host you want to login to.
> 
> It should be <Name>/<Instance>@<Realm> which in your
> case
> 
> probably is 
> 
> host/kerberosA.your.domain@WEDGIE.ORG 
> host/kerberosB.your.domain@WEDGIE.ORG 
> host/kerberosC.your.domain@WEDGIE.ORG 
> 
> or something like that
> 
> The Instance part must match what the IP address of
> the host resolves
> to. For Kerberos to work, you must have a working
> setup of host name
> resolving in both directions.
> 
> You said " kadmin>add -r ....", but it is easier to
> use ktutil get on
> each of your hosts. It creates the principal in the
> KDC and makes the
> corresponding /etc/krb5.keytab on the host.
> 
> Harald.
> 



      ___________________________________________________________ 
 Ż䣬䣡 
http://cn.mail.yahoo.com/