> -----Original Message-----
> Anthony Brock <[EMAIL PROTECTED]> wrote:
> > No, the entire network is on a single, private IP address range. In
> > fact, I'm trying these particular commands on the same host that
> > kadmind is running on. However, the behavior is identical from a
> > remote host.
>
> Does kpasswd work on the KDC itself for each of the realms? If it
> doesn't work on the KDC, its not likely to work anywhere else.
kpasswd doesn't work on the KDC. It only works for the initial realm even
when the kpasswd command is issued on the KDC. That's why I'm a little
baffled as to how to proceed. I've read the following in the kadmind man
page:
kdc.conf The KDC configuration file contains configuration informatin for
the KDC and the KADM5 system. Kadmind understands a number of variable
settings in this file, some of whch are mandatory and some of which are
optional. See the CONFIGURATION VALUES section below.
keytab Kadmind requires a keytab containing correct entries for
the kadmin/admin and kadmin/changepw principals for every realm that
kadmind will answer requests for. The keytab can be created with the
kadmin(8) client. The location of the keytab is determined by the
admin_keytab configuration variable (see CONFIGURATION VALUES).
An excerpt of these files is listed below, as well as the cross-realm krbtgt
principals I've created. I'm hoping that I have missed something obvious in
the configuration.
Tony
# klist -k FILE:/etc/krb5kdc/kadm5.keytab | egrep
'STERLINGCGI.COM|SCGROUP.ORG'
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
# kadmin -p brocka/admin
Authenticating as principal brocka/admin with password.
Password for brocka/[EMAIL PROTECTED]:
kadmin: listprincs */[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
kadmin:
*** BEGIN /etc/krb5kdc/kdc.conf ***
[kdcdefaults]
kdc_ports = 750,88
[realms]
SCGROUP.ORG = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
STERLINGCGI.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
*** END /etc/krb5kdc/kdc.conf ***
*** BEGIN /etc/krb5.conf ***
[libdefaults]
default_realm = SCGROUP.ORG
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
SCGROUP.ORG = {
kdc = auth1.scgroup.org
kdc = auth2.scgroup.org
admin_server = auth1.scgroup.org
}
STERLINGCGI.COM = {
kdc = auth1.scgroup.org
kdc = auth2.scgroup.org
admin_server = auth1.scgroup.org
}
[login]
krb4_convert = true
krb4_get_tickets = false
*** END /etc/krb5.conf ***
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
