Regarding MIT KDC server setup
Hi MIT Team, I am doing setup for MIT KDC on solaris machine. I searched a lot over internet, but couldn't find any appropriate doc for the KDC setup. Request you to please give me all the steps or link to setup MIT KDC over solaris. Also on one of the KDC I am getting below error:- bash-3.00# bash-3.00# kadmin.local Authenticating as principal root/ad...@ssqa.gdl.englab.netapp.com with password. kadmin.local: kadmin.local: list_principals get_principals: Database record is incomplete or corrupted while retrieving list. kadmin.local: kadmin.local: add_principal -e des-cbc-crc:normal des-cbc-md5:normal -randkey nfs/f3170-29-203.gdl.englab.netapp@ssqa.gdl.englab.netapp.com WARNING: no policy specified for nfs/f3170-29-203.gdl.englab.netapp@ssqa.gdl.englab.netapp.com; defaulting to no policy Segmentation Fault (core dumped) bash-3.00# Please help its urgent. Regards, Gaurav Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?
Hello, I'm trying to understand the inner workings of Kerberos here. The following question has arisen: Does /etc/krb5.conf have to be present and indentical on all Kerberos infrastructure participants? Here is what I deduced based on reading Linux man pages and other source on the Internet. Please confirm, refute or correct: All Kerberos infrastructure participants (client machines, application servers and KDC) must have this file present. Some of its settings are selectively used by all 3 types of aforementioned Kerberos infrastructure participants. Thus the file doesn’t have to be identical on all Kerberos involved machines, but for the sake of easier administration it usually is. P.S. The OS in question is Linux Cent OS 7 and the version of Kerberos is MIT Kerberos 5 (krb5-server package version: 1.11.3). -- Best Regards, Rufe Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
msktutil under new management
Hi all, I've accepted a new job at Red Hat working with the Ceph engineering team, and I'll be leaving USGS on October 31. Since my work on msktutil was related to my job at USGS, I'm stepping down as a maintainer on the project. (This isn't a request from my new employer - it's just that my wife and I had a new baby this summer, and I can't commit the time that I once could when I was on staff at USGS.) Mark Pröhl and Olaf Flebbe have been essentially carrying on the msktutil project for the past year or two, so they are going to be the official maintainers going forward. Mark and Olaf have full administrator access to the Git repository, SourceForge, and Google Code. Previous releases of msktutil were signed by my personal GPG key; since Mark doesn't have that key, please note that future releases won't be signed with it :) msktutil comes from a long line of previous maintainers and I thank each of you for allowing me to add a tiny bit to your work. Thanks also to Mark and Olaf for the work they've done over the past years - I'm sure you will do a great job going forward. I currently maintain the msktutil packages for Fedora and EPEL, and I'm tentatively planning to continue to do so, at least for the immediate future. I definitely welcome co-maintainers, and please get in touch if you'd like to take over this part of msktutil. - Ken signature.asc Description: Digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?
Rufe Glick rufe.gl...@gmail.com writes: I'm trying to understand the inner workings of Kerberos here. The following question has arisen: Does /etc/krb5.conf have to be present and indentical on all Kerberos infrastructure participants? No, not really. All participants should probably agree on some things, such as the KDCs for the realm and probably the domain to realm mapping rules. You normally want them to agree on other things, such as the default ticket lifetime to request or whether tickets are normally forwardable, so it's common to synchronize this file. But it's not at all required. In particular, if you have a realm set up with SRV and TXT records in DNS, it's quite possible to have a zero-configuration Kerberos client that simply pulls the information it needs from DNS queries. (Although I think the Kerberos libraries generally like to have the file exist, even if it's empty.) -- Russ Allbery (ea...@eyrie.org) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?
On Wed, Oct 29, 2014 at 3:39 PM, Russ Allbery ea...@eyrie.org wrote: Rufe Glick rufe.gl...@gmail.com writes: I'm trying to understand the inner workings of Kerberos here. The following question has arisen: Does /etc/krb5.conf have to be present and indentical on all Kerberos infrastructure participants? No, not really. All participants should probably agree on some things, such as the KDCs for the realm and probably the domain to realm mapping rules. You normally want them to agree on other things, such as the default ticket lifetime to request or whether tickets are normally forwardable, so it's common to synchronize this file. But it's not at all required. They can just agree to use DNS for most things. There are some things that you can't securely discover w/o DNSSEC, of which the main one is: - default_realm (if you need it, which generally implementations do) Other things have sane defaults: domain_realm, capaths, ... In particular, if you have a realm set up with SRV and TXT records in DNS, it's quite possible to have a zero-configuration Kerberos client that simply pulls the information it needs from DNS queries. (Although I think the Kerberos libraries generally like to have the file exist, even if it's empty.) Yes. Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Why k5srvutil is present when ktutil can do its job?
Hello, Machine configuration: Linux Cent OS 7, MIT Kerberos 5, client side Kerberos package is krb5-workstation v1.11.3. Kerberos 5 client side package supplied me with two similar utilities: ktutil and k5srvutil. I believe that there is no operation that k5srvutil script does that ktutil can't do. So why do package maintainers keep both of them? -- Best regards, Rufe Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Why k5srvutil is present when ktutil can do its job?
On 10/29/2014 07:14 PM, Rufe Glick wrote: Kerberos 5 client side package supplied me with two similar utilities: ktutil and k5srvutil. I believe that there is no operation that k5srvutil script does that ktutil can't do. So why do package maintainers keep both of them? There is no ktutil equivalent for k5srvutil change, which I believe is the primary reason for k5srvutil to exist. k5srvutil can't do anything that kadmin can't do, since it's just a shell script wrapper around kadmin. But it's easier to run k5srvutil change or k5srvutil delold than the equivalent kadmin commands. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos