Henry B. Hotz wrote: > > On Mar 29, 2007, at 11:32 PM, Shawn M Emery wrote: > >>>> The kserver script will perform basic security checks and warn the >>>> administrator if it detects a problem. >>>> >>> >>> What about adding a "dry-run" option which does some pre-checks without >>> changing the configuration ? >>> >> >> Yes, this is what it essentially means: >> 1. check for existing kdb >> 2. file permissions >> 3. DNS configuration >> 4. etc. > > Maybe it doesn't belong here, but I've found it useful to carry around > a config testing program that verifies that name resolution, realm > mapping and keytab files actually work. On a server with a kerberized > service you need to make sure that hostname is a FQDN that maps to the > local realm. On a client you need to make sure that the constructed > service principal matches what the service is expecting. > > Given correct client and server software, and correct krb5.conf info, > and correct kdc entries and keytab files, you still need to check what > Kerberos does for name mapping. Even if the SA put the FQDN first in > /etc/hosts, and DNS is correct, the person setting up the NIS maps may > have put the short name in the map. > > A diagnostic tool that systematically checks all this stuff (client or > server side) and prints out info useful to Kerberos neophytes seems > like a good idea.
For better or worse, Solaris actually deals with these inconsistencies by canonicalizing service principal names by directly making libresolv calls. Hence why the DNS configuration would be checked. A validation check could be made to make sure that it was able to obtain service tickets for a common service (e.g. kadmin) as well. Thanks, Shawn. --
