Sensei wrote: > On 2006-06-11 21:27:51 +0200, [EMAIL PROTECTED] said: > > > krb5.conf > > --------------------------------------- > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = MY.REALM.COM > > dns_lookup_realm = false > > dns_lookup_kdc = false > > ticket_lifetime = 24h > > forwardable = yes > > > > [realms] > > MY.REALM.COM = { > > kdc = MY.REALM.COM:88 > > admin_server = MY.REALM.COM:749 > > default_domain = realm.com > > } > > These lines should contain host names. This would suffice (using > standard ports): > > [realms] > MY.REALM.COM = { > kdc = hostkdc.my.realm.com > admin_server = hostadmin.myrealm.com > } > > > [domain_realm] > > .realm.com = MY.REALM.COM > > Add the mapping > > realm.com = MY.REALM.COM > > And check for the domain/realm mapping bug (solved by removing any > mapping here), I've been facing this problem. > > > [kdc] > > profile = /var/kerberos/krb5kdc/kdc.conf > > For the client side? Why? > > > [appdefaults] > > pam = { > > debug = false > > ticket_lifetime = 36000 > > renew_lifetime = 36000 > > forwardable = true > > krb4_convert = false > > } > > Ok. > > > kdc.conf > > --------------------------------------- > > [kdcdefaults] > > acl_file = /var/kerberos/krb5kdc/kadm5.acl > > dict_file = /usr/share/dict/words > > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > > v4_mode = nopreauth > > > > [realms] > > MY.REALM.COM = { > > #master_key_type = des3-hmac-sha1 > > supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal > > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal > > des-cbc-crc:v4 des-cbc-crc:afs3 > > } > > --------------------------------------- > > Just that? I use this kind of configuration (more verbose for the > realms stanza): > > > [kdcdefaults] > kdc_ports = 750,88 > > [realms] > KERBEROS.REALM = { > database_name = /var/lib/krb5kdc/principal > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > acl_file = /etc/krb5kdc/kadm5.acl > key_stash_file = /etc/krb5kdc/stash > kdc_ports = 750,88 > max_life = 24h 0m 0s > max_renewable_life = 7d 0h 0m 0s > master_key_type = des3-hmac-sha1 > supported_enctypes = des3-hmac-sha1:normal > des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 > default_principal_flags = -preauth > } > > > > > kadmin5.acl has just one line > > --------------------------------------- > > */[EMAIL PROTECTED] * > > --------------------------------------- > > */admin * > > Should do the work. > > Can you check the file owner/group and permissions for all the kerberos > files? DB, directories and stuff... UID of the daemons... any other > information since I read your post on starting kadmind directly :)
I am almost certain that selinux is causing the problem. When I set selinux to 'enforcing', and start kerberos using '/sbin/service kadmin start', kpasswd will trigger the error 'insufficient access to database'. If I start kerberos using 'kadmin' directly, kpasswd will succeed. When I set selinux to 'permissive' (effectively disabling selinux), and start kerberos using '/sbin/service kadmin start', kpasswd will succeed. When selinux is in 'enforcing' mode, and kadmind is started using '/sbin/service admin start', the process 'kadmind' runs in context 'kadmind_t'. When kadmind is started by root using 'kadmind', the process 'kadmind' runs in context 'unconfined_t'. I believe when 'kadmind' runs in context 'unconfined_t', it can read/write all the configuration files, DB, etc. But if it runs in context 'kadmin_t', some files are readonly. But changing password definitely needs to write some files. That causes the error. Now my question is: How do I set selinux so that kadmin can work correctly? I prefer not to disable selinux. Any insights would be appreciated. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos