[27060] in Kerberos
Re: Migrating a Kerberos Realm
daemon@ATHENA.MIT.EDU (Edward Murrell)
Tue Nov 21 21:07:02 2006
Message-ID: <4563B032.6040306@dlconsulting.com>
Date: Wed, 22 Nov 2006 15:04:34 +1300
From: Edward Murrell <edward@dlconsulting.com>
MIME-Version: 1.0
CC: kerberos@mit.edu
In-Reply-To: <200611212219.kALMJuL8007575@ginger.cmf.nrl.navy.mil>
X-SA-Exim-Mail-From: edward@dlconsulting.com
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hmm, yes, diagnostics would be helpful wouldn't they. :P
OK, so things have progressed slightly.
First mistake was finding EXAMPLE.COM in one of my addprincs, and
following your advice, and someone else noting that quite possible two
different encryption types were in use here, I've deleted the two
principles on each realm and run the following on each;
kadmin.local: addprinc -e aes256-cts-hmac-sha1-96:normal
krbtgt/OFFICE@DLCONSULTING.COM
kadmin.local: addprinc -e aes256-cts-hmac-sha1-96:normal
krbtgt/DLCONSULTING.COM@OFFICE
I also checked clock skew, just in case that was a problem, but openntpd
is doing it's job very well (< 3 seconds difference).
Now I get a string of errors like this;
Nov 22 14:57:55 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, <unknown client> for
host/atlas@OFFICE, Key table entry not found
Nov 22 14:57:56 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, <unknown client> for
host/atlas@OFFICE, Key table entry not found
(atlas being the host I am trying to log in to - Yes, I know that atlas
as the host name is very silly, but it does work for the moment due to
careful DNS wizardry, and an external properly defined host shows
exactly the same errors. I will start using proper fqdns as part of this
process)
As an added wrinkle, trying to log in to the kdc via kadmin gives me the
following errors and kdc log entries;
edward@black ~ $ kadmin -s becks -p edward/admin@DLCONSULTING.COM
Authenticating as principal edward/admin@DLCONSULTING.COM with password.
Password for edward/admin@DLCONSULTING.COM:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Nov 22 15:02:50 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: SERVER_NOT_FOUND: edward/admin@DLCONSULTING.COM for
kadmin/atlas.office@DLCONSULTING.COM, Server not found in Kerberos database
Nov 22 15:02:50 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: NEEDED_PREAUTH: edward/admin@DLCONSULTING.COM for
kadmin/admin@DLCONSULTING.COM, Additional pre-authentication required
Nov 22 15:02:51 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: ISSUE: authtime 1164160971, etypes {rep=16 tkt=16
ses=16}, edward/admin@DLCONSULTING.COM for kadmin/admin@DLCONSULTING.COM
I can actually kinit with both my edward@DLCONSULTING.COM and
edward/admin@DLCONSULTING.COM principles though - so now I'm just plain
confused.
Can anyone help?
Cheers
Edward
Ken Hornstein wrote:
>> addprinc -requires_preauth krbtgt/OFFICE@COMPANY.COM
>> addprinc -requires_preauth krbtgt/COMPANY.COM@OFFICE
>>
>>
>> And er... it doesn't work. Did I miss something?
>>
>
> Well, there are a few things you are missing. Like, for one ... you
> say it doesn't work. Well, what happens? Do you have an error message?
> Any diagnostics at all?
>
> First off ... are you really sure about the -requires_preauth flag? I
> am 95% sure you don't want it. (I know that documentation you list shows
> that; I am frankly rather surprised that it does, as I can think of only
> a few reasons why you would want that, and a whole bunch why you wouldn't).
> I doubt that's the real problem, though.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
