Hi All,
I have been scratching my head on this for days.
I have set up Kerberos with PKinit, and everything works nicely. Kerberos works
as expected, I can generate X509 certificates that can authenticate as a
principal, all good.
What I can't figure out what to do is automatically bootstrap a keytab for a
new host using anonymous Kerberos. The documentation is a bit fuzzy, and most
forum posts I read on the topic suggest using custom scripts and back-channels
to accomplish this.
I assume that the approach is:
1. kinit -n
2. Kadmin -n (??)
* Addprinc ..
* Xst …
I have set up the ACLs to permit the WELLKNOWN principal access to add new host
principals, but for the life of me I just can't figure out how to get it done
beyond that:
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a host/*@TRIAL.COVERITY.COM
Kadmin just won't let me in. When using the WELLKNOWN principal, it cannot find
the KDC/Kadmin server:
> kinit -n
> kadmin -n @TRIAL.COVERITY.COM
Authenticating as principal WELLKNOWN/admin@WELLKNOWN:ANONYMOUS with password;
anonymous requested.
kadmin: Cannot resolve network address for KDC in requested realm while
initializing kadmin interface
When running kadmin under strace, it seems to be looking for the server in DNS!
Is this approach viable? Can anybody help?
Thanks,
- James
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
