Ok this is my wallet.conf at the wallet client:
$KEYTABFILE= '/home/USER/krb5.test'; $KEYTAB_KRBTYPE= 'MIT'; $KEYTAB_PRINCIPAL= 'host.domain.org'; $KEYTAB_REALM= 'REALM'; $KEYTAB_TMP= '/home/USER/tmp' 1; Now I cannot create more admin users: $wallet acl add ADMIN krb5 host.domain.org@REALM wallet: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Ticket expire the remctl output is: remctld: child 1199 for xxx.xxx.xxx.xxx remctld: error receiving context token: unexpected end of file remctld: child 1199 done If I try to create a keytab: $wallet create keytab nfs/host.domain.org wallet: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Ticket expired remctl output: remctld: child 1400 for xxx.xxx.xxx.xxx remctld: error receiving context token: unexpected end of file remctld: child 1400 done ________________________________________ From: Russ Allbery [r...@stanford.edu] Sent: 08 May 2012 08:37 To: Sebastian Galiano Cc: Jeff Blaine; kerberos@mit.edu Subject: Re: Streamlining host principal keytab provisioning? Sebastian Galiano <sebastian.gali...@spilgames.com> writes: > Wheny I try: > $ wallet create keytab nfs/host.domain.org > wallet: keytab object implementation not configured Now we're getting somewhere. :) That error message means that you've not configured at least one of the mandatory settings for the keytab object type in your /etc/wallet/wallet.conf file. perldoc Wallet::Config will show you the configuration information. The mandatory options are: KEYTAB_FILE Specifies the keytab to use to authenticate to kadmind. The principal whose key is stored in this keytab must have the ability to create, modify, inspect, and delete any principals that should be managed by the wallet. (In MIT Kerberos kadm5.acl parlance, this is "admci" privileges.) KEYTAB_FILE must be set to use keytab objects. KEYTAB_KRBTYPE The Kerberos KDC implementation type, either "Heimdal" or "MIT" (case-insensitive). KEYTAB_KRBTYPE must be set to use keytab objects. KEYTAB_PRINCIPAL The principal whose key is stored in KEYTAB_FILE. The wallet will authenticate as this principal to the kadmin service. KEYTAB_PRINCIPAL must be set to use keytab objects, at least until kadmin is smart enough to use the first principal found in the keytab it's using for authentication. KEYTAB_REALM Specifies the realm in which to create Kerberos principals. The keytab object implementation can only work in a single realm for a given wallet installation and the keytab object names are stored without realm. KEYTAB_REALM is added when talking to the KDC via kadmin. KEYTAB_REALM must be set to use keytab objects. "ktadd" doesn't always default to the local realm. KEYTAB_TMP A directory into which the wallet can write keytabs temporarily while processing "get" commands from clients. The keytabs are written into this directory with predictable names, so this should not be a system temporary directory such as /tmp or /var/tmp. It's best to create a directory solely for this purpose that's owned by the user the wallet server will run as. KEYTAB_TMP must be set to use keytab objects. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos