Hello, I'm playing with Kerberos authentification on my box and there are some problems that I need assistance for.
For the first time I saw a lack of documentation on OpenBSD (Weel, may be it's time to contribute :-)) regarding authentification. The FAQ doesn't help much on Kerberos. It just says to read "# info heimdal". Well, I did it and I was a little disapointed. The info is great to setup a Kerberos server but being new to Kerberos, I'd have liked infos on setting up a client. After some hours googling/learning, I finally managed to get the Kerberos Server running and configured OpenBSD Client as follow : # cat /etc/kerberosV/krb5.conf [libdefaults] default_realm = CLAER.HAMMOCK.FR [realms] CLAER.HAMMOCK.FR = { kdc = diogene.claer.hammock.fr admin_server = diogene.claer.hammock.fr master_kdc = diogene.claer.hammock.fr default_domain = claer.hammock.fr } [domain_realm] .claer.hammock.fr = CLAER.HAMMOCK.FR claer.hammock.fr = CLAER.HAMMOCK.FR # ls -l /etc/kerberosV/krb5.keytab -rw------- 1 root wheel 358 May 15 15:45 /etc/kerberosV/krb5.keytab >From there, I can obtain a kerberos ticket on the system : # kinit claer cl...@claer.hammock.fr's Password: # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: cl...@claer.hammock.fr Issued Expires Principal May 19 10:06:28 May 19 20:05:51 krbtgt/claer.hammock...@claer.hammock.fr Strange thing is I saw this in the server logfile : May 19 10:06:34 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database May 19 10:06:37 diogene krb5kdc[18818](info): TGS_REQ (8 etypes {18 17 16 5 23 3 2 1}) 172.16.1.1: UNKNOWN_SERVER: authtime 0, cl...@claer.hammock.fr for krbtgt/ualberta...@claer.hammock.fr, Server not found in Kerberos database It seems that the client is trying to get a ticket for the afs client. AFS is not enabled on my BSD box and I don't need it. The only reference I found on UALBERTA.CA is "/etc/afs/ThisCell". Is there a way to disable this behavior? Regards, Claer