[14795] in Kerberos
Re: kpasswd fails with multiple realms
daemon@ATHENA.MIT.EDU (Kiran Kumar M)
Mon Jul 30 10:40:06 2001
From: Kiran Kumar M <mkiran@india.hp.com>
Date: Mon, 30 Jul 2001 19:59:16 +0530
Message-ID: <3B656F3B.DA40F735@india.hp.com>
To: kerberos@MIT.EDU
Try the following kdc.conf & krb5.conf , and restart kadmind
kdc.conf
------
[realms]
....
....
RJHOSTS.RICH.COM = {
.......
kpasswd_port = 8000
.......
}
RJUSERS.RICH.COM = {
......
kpasswd_port = 8001
......
}
.....
......
krb5.conf
-------
.......
.......
[realms]
RJHOSTS.RICH.COM = {
kdc = server1.rich.com:88
admin_server = server1.rich.com:740
kpasswd_server = server1.rich.com:8000
}
RJUSERS.RICH.COM = {
kdc = server1.rich.com:88
admin_server = server1.rich.com:720
kpasswd_server = server1.rich.com:8001
}
......
......
Rich Jamieson wrote:
> Looks like this one has been seen before - so I get the feeling that
> there is a patch out there somewhere. (search google for
> "kpasswd_server David Wragg").
> Im using MIT, krb5-1.2.2 on Solaris 2.8.
>
> Ive setup multiple realms on the same server.
> The problem is that kpasswd will not work for both realms.
> kpasswd works with one of the realms, but not the other.
>
> ----
>
> The error message I get is:
>
> kpasswd rjusers/admin@RJUSERS.RICH.COM
> Password for rjusers/admin@RJUSERS.RICH.COM:
> Enter new password:
> Enter it again:
> Authentication error: Failed reading application request
>
> -----
>
> My krb5.conf is:
> [libdefaults]
> ticket_lifetime = 600
> default_realm = RJUSERS.RICH.COM
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
> [realms]
>
> RJHOSTS.RICH.COM = {
> kdc = server1.rich.com:88
> admin_server = server1.rich.com:740
> }
>
> RJUSERS.RICH.COM = {
> kdc = server1.rich.com:88
> admin_server = server1.rich.com:720
> }
>
> [domain_realm]
> .wks.rich.com = RJUSERS.RICH.COM
> .srv.rich.com = RJHOSTS.RICH.COM
>
> [logging]
> kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
> admin_server = FILE:/opt/MITkrb5/log/kadmin.log
> default = FILE:/opt/MITkrb5/log/krb5lib.log
>
> ------
>
> My kdc.conf is:
> [kdcdefaults]
> kdc_ports = 88
>
> [realms]
>
> RJHOSTS.RICH.COM = {
> profile = /opt/MITkrb5/etc/krb5.conf
> database_name =
> /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/principal
> admin_keytab =
> /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.keytab
> acl_file = /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/kadm5.acl
> dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
> key_stash_file =
> /opt/MITkrb5/var/krb5kdc/RJHOSTS.RICH.COM/.k5stash
> kadmind_port = 740
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4
> kdc_supported_enctypes = des3-hmac-sha1:normal
> des-cbc-crc:normal des-cbc-crc:v4
> }
>
> RJUSERS.RICH.COM = {
> database_name =
> /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/principal
> admin_keytab =
> /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.keytab
> acl_file = /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/kadm5.acl
> dict_file = /opt/MITkrb5/var/krb5kdc/kadm5.dict
> key_stash_file =
> /opt/MITkrb5/var/krb5kdc/RJUSERS.RICH.COM/.k5stash
> kadmind_port = 720
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4
> kdc_supported_enctypes = des3-hmac-sha1:normal
> des-cbc-crc:normal des-cbc-crc:v4
> }
>
> [logging]
> kdc = FILE:/opt/MITkrb5/log/krb5kdc.log
> admin_server = FILE:/opt/MITkrb5/log/kadmin.log
> default = FILE:/opt/MITkrb5/log/krb5lib.log
>
> ----
> The relevant processes are:
> ps -ef | grep MIT
> root 4644 1 0 16:32:18 ? 0:00
> /opt/MITkrb5/sbin/krb5kdc -r RJHOSTS.RICH.COM -r RJUSERS.RICH.COM
> root 4647 1 0 16:32:29 ? 0:00
> /opt/MITkrb5/sbin/kadmind -r -port 720
> root 4649 1 0 16:32:42 ? 0:00
> /opt/MITkrb5/sbin/kadmind -r RJHOSTS.RICH.COM -port 740
>
> Note:
> If I start up the "RJUSERS.RICH.COM" kadmind first, then kpasswd
> will work for that realm but not the "RJHOSTS.RICH.COM" realm.
>
> If I start up the "RJHOSTS.RICH.COM" kadmind first, then kpasswd
> will work for that realm but not the "RJUSERS.RICH.COM" realm.
>
> -----------------------------
>
> "man kpasswd" (and nowhere else that I can see) mentions a
> "kpasswd_server = host:port" entry in the krb5.conf file.
> If I add a pair of these entries my kapsswd command for both realms
> justs hangs.
> eg:
> "kpasswd_server = server1.rich.com:740" { for RJHOSTS }
> and "kpasswd_server = server1.rich.com:720" { for RJUSERS }
>
> ---------
>
> My /etc/services file contains:
> grep -i ker /etc/services
>
> klogin 543/tcp # Kerberos
> authenticated rlogin
> kshell 544/tcp cmd # Kerberos
> authenticated remote shell
> RJUSERS-kerberos-adm 720/tcp # Kerberos V5
> Administration
> RJUSERS-kerberos-adm 720/udp # Kerberos V5
> Administration
> RJHOSTS-kerberos-adm 740/tcp # Kerberos V5
> Administration
> RJHOSTS-kerberos-adm 740/udp # Kerberos V5
> Administration
> kerberos 750/udp kdc # Kerberos key server
> kerberos 750/tcp kdc # Kerberos key server
> kerberos-sec 88/udp kdc # MIT V5 Kerberos key
> server
> kerberos-sec 88/tcp kdc # MIT V5 Kerberos key
> server
> krb524 4444/tcp # MIT Kerberos 5 to 4
> ticket translator
> krb5_prop 754/tcp # Kerberos V5 KDC
> propogation
> eklogin 2105/tcp # Kerberos encrypted
> rlogin
>
> -----------------
>
> As I say, I think this has been seen before.
> Does anyone know where I can get a patch ?
>
> regards
>
> Richard Jamieson.
--
"I'm a bear of very little brain, and big words bother me."
-- Winnie-the-Pooh ch 4, A.A.Milne
