Sebastian Galiano <sebastian.gali...@spilgames.com> writes: > Ok, as you pointed I didnt had a principal for the wallet server (it is > also the kdc server). Adding the principal solved that problem. Now to > the same command:
> $wallet -f keytab get keytab nfs/hostname.REALMNAME > wallet: username@REALMNAME not authorized to create keytab:nfs/host.REALMNAME That's an error from the wallet server, not from remctld or from Kerberos. wallet doesn't pay any attention to the kadmin ACLs; it maintains its own database of objects and ACLs for who can download them. So you have to either set up autocreation (see the Wallet::Config man page or perldoc under "DEFAULT OWNERS"), or you need to pre-create the object as a user listed in the ADMIN ACL. For example: wallet create keytab nfs/<fqdn> wallet acl create user/<username> krb5 <username>@<realm> wallet owner keytab nfs/<fqdn> user/<username> wallet show keytab nfs/<fqdn> will show you the existing wallet record for that particular object. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos