[27441] in Kerberos
Re: kadmin problem
daemon@ATHENA.MIT.EDU (Jeremy Thomas Hunt)
Wed Feb 14 02:14:49 2007
Message-Id: <25449249.1171436192348.JavaMail.root@optim1>
Date: Wed, 14 Feb 2007 17:56:27 +1100
From: Jeremy Thomas Hunt <jeremyh@optimation.com.au>
Mime-Version: 1.0
Cc: kerberos@mit.edu
In-Reply-To: <32364827.1171432512479.JavaMail.root@optim1>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Scotty,
From your entry in the kdc.log it looks to me like you do have a valid
admin principal and your password is correct, so I am guessing your
permissions for that principal are wrong.
Look in your /krb5/var/krb5kdc/kadm5.acl file on the kerberos master, to
see if the principal you are using has any admin privileges.
If you do not find this file there, see if its location is defined in
your kdc.conf file, which can also be found in the /krb5/var/krb5kdc
directory.
If you do not have a kadm5.acl file, then create it - but first make
sure it is not defined as being somewhere else in your kdc.conf. If it
is defined as being somewhere else, then you will be wasting your time
creating and editing a new one.
The next step is to check if your principal, or a class of principals
which your principal belongs to is defined in this file. If you do find
a match then you need to see if you have the correct permissions for an
administrator.
Read the man page for kadm5.acl, but to get you started, if you do not
find a match then you could try entering
scotty/admin@SCOTTY.COMPANY.COM *
which should give your principal all privileges for all domains
controlled by that kerberos master. After you have understood the man
page you may want to generalise this entry or prune its permissions.
More gotchas to watch out for, I suspect you have to stop and start the
kadmind process on the security server each time you change the
kadm5.acl file.
By the way, you do have the kadmind process running on your security
server don't you?
I hope this all helps you in any case.
Cheers,
Jeremy
scotty adams wrote:
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
>
>
>
> Hi,
>
> Here is the log line found under kdc.log
>
> Feb 11 15:50:50 scotty krb5kdc[17623](info): AS_REQ 192.168.1.12(88): ISSUE: authtime 1171216250, scotty/admin@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.company.com@SCOTTIE.COMPANY.COM
>
> Times on both servers are identical
> Pls advise
>
> Thanks,
> scotty
>
>
>
> Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote: >Then what is the problem???
>
>> How can it be solved? i am really stuck
>>
>
> Sigh. If nothing useful appears in kadmind or kdc logs ... well, the only
> way I know of to debug this problem is to run kadmin under the debugger
> and trace down the problem. One thing comes to mind: it looks like you
> have NAT involved somewhere. kadmin doesn't work from behind a NAT.
>
> --Ken
>
>
>
> ---------------------------------
> Expecting? Get great news right away with email Auto-Check.
> Try the Yahoo! Mail Beta.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos