In regard to: CentOS attempting to set up Kerberos 5-tickets created &...:
> I started the three daemons, also with no > issues with the following invocation: > /sbin/service krb5kdc start > /sbin/service kadmin start > /sbin/service krb524 start It's very unlikely that you will ever need krb524. I recommend you disable that. > I then used kinit, klist, and kdestroy to verify that under my account > I could create, view, and destroy a ticket properly. Can you do the same from a separate client, once you've set up the krb5.conf on that client to contain the necessary realms section and possibly the default_realm? > So the next step is, I get all of the client software and dependencies > installed on another machine on the network that I want to connect > from using kerberos auth. That's all installed correctly on a Ubuntu > 7.10 machine that I'm currently on. > > Next is to create a host principal for my Ubuntu machine stored on the > KDC host. THIS is where I'm running into the issue. > > When I execute 'kadmin addprinc -randkey host/blah.example.com' I > receive the following error: > Authenticating as principal root/[EMAIL PROTECTED] with password. As Ken has pointed out, you're mixing syntaxes. You can either kadmin -p username/admin -q 'addprinc -randkey host/your.clients.fqdn' or kadmin -p username/admin and then run the rest of the command within kadmin. > kadmin: Missing parameters in krb5.conf required for kadmin client > while initializing kadmin interface On your client system, what you probably want to do is something like: sudo kadmin -p username/admin (where username is whatever user account you previously created). If that works, your client has enough information to connect to the kadmind that's running on your KDC. If it works, you'll be at a prompt. From there you can do addprinc -randkey host/your.clients.fqdn Note that the "host" is literal -- it's not to be replaced with something else. It's the type of principal that many of the krb5-workstation daemons look for (ftpd being an exception). Once that's done, you need to extract the principal into a local keytab. You do that via ktadd, still within admin. That's why I recommended "sudo" in front of your kadmin auth -- you'll have permission to write to /etc/krb5.keytab. So, still within kadmin, you type ktadd -k /etc/krb5.keytab host/your.clients.fqdn The '-k /etc/krb5.keytab' probably isn't needed, but doesn't hurt. Once that's done, you can exit from kadmin, and your client now has what it needs for you to be able to run the Kerberized daemons from the krb5-workstation package. You should be able to do something like sudo chkconfig xinetd on sudo chkconfig eklogin on sudo service xinetd start If you kinit from somewhere else, you should then be able to do /usr/kerberos/bin/rlogin -x your.clients.fqdn and get in without being prompted for a password. > If not that, I have a few other ideas... Second was that the host > name for the ubuntu machine will not resolve from the primary KDC. That's a problem, but it's not what's causing your current issue. It will definitely be an issue down the road. > To > get around this I added an /etc/hosts entry for my machine. That's enough, as long as nsswitch.conf on the KDC is right. Tim -- Tim Mooney [EMAIL PROTECTED] Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos