All messages generated by krb5kdc and kadmin are being logged twice, one
right after the other in their respective log files. Weird, huh?
kdc.conf snippet:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Messages from krb5kdc and kadmind are being logged twice, one right after
the other.
My krb5.conf reads:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Environment:
Red Hat Enterprise Linux 4 using rpm krb5-server-1.3.4
On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <[EMAIL PROTECTED]> wrote:
>> "Nod" == Nod <[EMAIL PROTECTED]> writes:
>
>Nod> I've currently got a Heimdal KDC setup for testing. From the
>Nod> testing network, I can succesfully get tickets via kinit, and ssh
>Nod> with the
>
> On 19 Jun 2006 11:09:25 -0400, "Richard E. Silverman" <[EMAIL PROTECTED]>
> wrote:
> >> "Nod" == Nod <[EMAIL PROTECTED]> writes:
> >
> >Nod> I've currently got a Heimdal KDC setup for testing. From the
> >Nod> testing network, I can succesfully get tickets via kinit, and ssh
> >
On Mon, Jun 19, 2006 at 11:56:46AM -0700, Erich Weiler wrote:
> > Hmm... krb5cc_0 would seem to be root's Kerberos cache. Is NFS just
> > being explicitly denied for root? Or is root otehrwise treated
> > differently than normal user accounts? (I use OpenAFS myself, so I
> > don't really know
Never mind, it worked! The client just needed a reboot. Thanks again
for your help!
ciao, erich
Erich Weiler wrote:
> Hi Kevin,
>
> Aha, I think, if I'm reading this correctly, the version numbers are
> defintely off:
>
> (on KDC)
> % klist -e -k -t /etc/krb5.keytab
> Keytab name: FILE:/etc
On 6/19/06, Erich Weiler <[EMAIL PROTECTED]> wrote:
> > Your nfs server's keytab has kvno 5. You need to do the getprinc on
> > that same principal to see what the key version number is in the KDC.
> > (Your klist shows principal nfs/[EMAIL PROTECTED], but the
> > getprinc output is for nfs/[EMAIL
> Your nfs server's keytab has kvno 5. You need to do the getprinc on
> that same principal to see what the key version number is in the KDC.
> (Your klist shows principal nfs/[EMAIL PROTECTED], but the
> getprinc output is for nfs/[EMAIL PROTECTED])
>
> The kvno of the extracted key in the nfs s
Your nfs server's keytab has kvno 5. You need to do the getprinc on
that same principal to see what the key version number is in the KDC.
(Your klist shows principal nfs/[EMAIL PROTECTED], but the
getprinc output is for nfs/[EMAIL PROTECTED])
The kvno of the extracted key in the nfs server's keyt
> Hmm... krb5cc_0 would seem to be root's Kerberos cache. Is NFS just
> being explicitly denied for root? Or is root otehrwise treated
> differently than normal user accounts? (I use OpenAFS myself, so I
> don't really know how this NFSv4 stuff works.)
NFS shouldn't be denied for root as far
Erich Weiler <[EMAIL PROTECTED]> wrote:
> I can do this:
>
> kinit -kt /etc/krb5/krb5.keytab nfs/solarisclient.domain.com
> kinit -kt /etc/krb5/krb5.keytab host/solarisclient.domain.com
>
> with no errors. When I do a klist then I get:
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hos
Hi Kevin,
Aha, I think, if I'm reading this correctly, the version numbers are
defintely off:
(on KDC)
% klist -e -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
-
5 05/0
Hi Christopher,
> Is there a particular reason you are limiting yourself to DES keys?
> (This isn't a problem though, just a question.)
No reason really, just using DES keys for testing. Once I get this
working I'll move up to better encryption.
> I'm pretty sure MYREALM.COM is a default valu
Hi Erich,
How did you create the keytab for the NFS server? The key version
number in that keytab must match the key version number for the server
principal in the KDC.
The key version displayed for nfs/[EMAIL PROTECTED] with
"klist -e -k -t /etc/krb5.keytab" should match the key version
displaye
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 19 Jun 2006 at 12:42 (-), Jeffrey Altman wrote:
> Mike Friedman wrote:
>> I've been testing some Kerberos authentication code against both my MIT
>> K5 KDC and a Windows Active Directory KDC. In both cases, I'm using
>> pre-authenticati
Greetings all,
We're having some problems getting kerberized NFSv4 working in our
environment, was hoping someone would have an idea or two of what's
going on. We've set up our KDC (Fedora Core 5 box) and it's working
great, people are logging in and getting tickets, all is well there.
What I
> "Nod" == Nod <[EMAIL PROTECTED]> writes:
Nod> I've currently got a Heimdal KDC setup for testing. From the
Nod> testing network, I can succesfully get tickets via kinit, and ssh
Nod> with the ticket between servers. Now, I'm trying to get the
Nod> Windows desktop side worki
Mike Friedman wrote:
> I've been testing some Kerberos authentication code against both my MIT K5
> KDC and a Windows Active Directory KDC. In both cases, I'm using
> pre-authentication. However, when I enter an incorrect password, the MIT
> KDC returns 31 (decrypt integrity check failure), wh
18 matches
Mail list logo
