On 2006-06-11 21:27:51 +0200, [EMAIL PROTECTED] said:
> krb5.conf
> ---------------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MY.REALM.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> MY.REALM.COM = {
> kdc = MY.REALM.COM:88
> admin_server = MY.REALM.COM:749
> default_domain = realm.com
> }
These lines should contain host names. This would suffice (using
standard ports):
[realms]
MY.REALM.COM = {
kdc = hostkdc.my.realm.com
admin_server = hostadmin.myrealm.com
}
> [domain_realm]
> .realm.com = MY.REALM.COM
Add the mapping
realm.com = MY.REALM.COM
And check for the domain/realm mapping bug (solved by removing any
mapping here), I've been facing this problem.
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
For the client side? Why?
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
Ok.
> kdc.conf
> ---------------------------------------
> [kdcdefaults]
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> v4_mode = nopreauth
>
> [realms]
> MY.REALM.COM = {
> #master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
> }
> ---------------------------------------
Just that? I use this kind of configuration (more verbose for the
realms stanza):
[kdcdefaults]
kdc_ports = 750,88
[realms]
KERBEROS.REALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 24h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = -preauth
}
> kadmin5.acl has just one line
> ---------------------------------------
> */[EMAIL PROTECTED] *
> ---------------------------------------
*/admin *
Should do the work.
Can you check the file owner/group and permissions for all the kerberos
files? DB, directories and stuff... UID of the daemons... any other
information since I read your post on starting kadmind directly :)
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
