[27074] in Kerberos
Re: Migrating a Kerberos Realm
daemon@ATHENA.MIT.EDU (Edward Murrell)
Wed Nov 29 21:25:41 2006
Message-ID: <456E4113.2020902@dlconsulting.com>
Date: Thu, 30 Nov 2006 15:25:23 +1300
From: Edward Murrell <edward@dlconsulting.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <200611242005.kAOK5Y9i001934@ginger.cmf.nrl.navy.mil>
X-SA-Exim-Mail-From: edward@dlconsulting.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I thought I'd post back here how I got on.
So it turned out to be a funky combination of my earlier silliness in
having single names as hostnames (apollo, instead of apollo.office),
returning the single hostname in the reverse DNS, and having a single
name set in the /etc/hostname (which I'm sure should be the shortname).
This led to some weird behaviour where I could connect to a machine via
ssh, and use the new password, but couldn't SSO through to it without a
password.
I also discovered the hard way how to do name mapping;
In your krb5.conf, under domain_realm, you need something like;
OFFICE = {
auth_to_local = RULE:[1:$1]
auth_to_local = RULE:[2:$1]
auth_to_local = DEFAULT
}
This is probably really really bad unless your trying to migrate a realm
(eg, user@REALM1 is the same person as user@REALM2).
In the meantime, I'm resigned to having really big krb5.conf files while
in transition. Such is life.
--
The next step will be to roll out a full krb5.conf to every machine, add
proper host/complete.domain.name.com@REALM to to each keytab, convert
all the machines over to using the new realm, then move the users one by
one to the new domain. Cool! :) Hopefully, I'll move over the entire
infrastructure, switch all the users over, and most users will not be
any the wiser, except when I tell them to re-enter their password.
Cheers
Edward
Ken Hornstein wrote:
>> As requested;
>> [...]
>>
>
> I confess ... I'm not sure what's going wrong here. A common error is
> that the enctypes or the kvno's don't match ... but you seem to have that
> all correct.
>
> >From my memory, the error you were seeing was "Key table entry not found",
> right? That's KRB5_KT_NOTFOUND, and that's almost certainly coming from
> lib/kdb/keytab.c. I guess if I were you, I would run the KDC under a debugger
> and see exactly why I'm getting that error.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
