[29341] in Kerberos
Re: Kerberos initialisation error
daemon@ATHENA.MIT.EDU (Cov)
Thu Feb 21 07:15:26 2008
From: Cov <dgcoventry@gmail.com>
Date: Thu, 21 Feb 2008 04:14:27 -0800 (PST)
Message-ID: <3b81b456-e11e-4c9a-b2ac-fe349664ad24@q33g2000hsh.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Okay, /etc/krb5kdc/kdc.conf had to be edited as below:
++++++++++++++++++/etc/krb5kdc/kdc.conf+++++++++++++++++++++
[kdcdefaults]
kdc_ports = 750,88
[realms]
IQETD.LAN = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:norma$
default_principal_flags = +preauth
}
+++++++++++++++ end of /etc/krb5kdc/kdc.conf++++++++++++++
Also I had to run "krb5_newrealm" to initialise the KDC database.
This give the following useful tips:
++++++++++++++++++++++++++++++++++++++++++++++++++
# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm
'IQETD.LAN',
master key name 'K/M@IQETD.LAN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
++++++++++++++++++++++++++++++++++++++++++++++++++
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
