Hello,
I tried to install Kerberos on my small system and have got limited
success.
krb5kdc and kadmind are installed on an Intel Xeon box running
64-bit Ferora core 5. Firewall is enabled on this machine, with port 88
and 749 accepting incoming packets. DNS is also working properly.
Kerberos itself is doing authentication properly. I set up the sshd
on the computer to use kerberos, disabled the usage of local password
in sshd, and I can ssh into the computer using kerberos password.
On this computer, when I use kadmin.local to add/delete/modify the
principals, everything works fine.
The interesting thing is: When I use kadmin, I can pass the
authentication and run some of the commands but 'cpw' will fail. Here
is what I got: (mara is the computer)
=============================================
[EMAIL PROTECTED] myusr]# kinit admin/admin
Password for admin/[EMAIL PROTECTED]: <password typed>
[EMAIL PROTECTED] myusr]# klist
Ticket cache: FILE:/tmp/krb5cc_500_bYyQI13791
Default principal: admin/[EMAIL PROTECTED]
Valid starting Expires Service principal
06/10/06 21:38:30 06/11/06 21:38:30 krbtgt/[EMAIL PROTECTED]
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] myusr]# kadmin
Authenticating as principal admin/[EMAIL PROTECTED] with password.
Password for admin/[EMAIL PROTECTED]: <password typed>
kadmin: list_principals
K/[EMAIL PROTECTED]
admin/[EMAIL PROTECTED]
[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
kadmin/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
kadmin: cpw myusr
Enter password for principal "myusr":
Re-enter password for principal "myusr":
change_password: Unknown code kdb5 21 while changing password for
"[EMAIL PROTECTED]".
kadmin: exit
[EMAIL PROTECTED] myusr]#
==========================================================
When I do the same list of commands (kinit, klist, kadmin - cpw) from a
remote machine, the same 'Unknown code kdb5 21' happens.
Can anyone give me an insight?
Additionally, I am having problem with kpasswd. When I logged into
'mara' as 'myusr', here is what I got:
==============================================
[EMAIL PROTECTED] ~]$ kinit myusr
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED] ~]$ kpasswd
Password for [EMAIL PROTECTED]:
Enter new password:
Enter it again:
Server error: Password not changed.
Insufficient access to lock database while trying to change password.
[EMAIL PROTECTED] ~]$
==============================================
Interestingly, when I do kpasswd from a remote mache, I don't get the
'Insufficient access' error. Instead, I got a different error:
"kpasswd: Connection timed out changing password"
In any case, if a user cannot execute kpasswd, it's almost impractical
to use kerberos.
I tend to believe that something is wrong with my kerberos setup. It's
strange because II followed the introduction in www.linux.com/howtos/
Kerberos-Infrastructure-HOWTO/index.shtml Besides, I can already run
ssh with kerberos authentication.
Any insight would be greatly appreciated. thanks in advance.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
