From d.h.davis@bath.ac.uk Wed Jun 6 12:05:01 2001 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id MAA16566 for ; Wed, 6 Jun 2001 12:05:00 -0400 (EDT) Received: from pat.bath.ac.uk (exim@pat.bath.ac.uk [138.38.32.2]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA14348 for ; Wed, 6 Jun 2001 12:05:00 -0400 (EDT) Received: from ancho.bath.ac.uk ([138.38.52.202] helo=bath.ac.uk ident=jzdziomz1jdnubltices) by pat.bath.ac.uk with smtp (Exim 3.12 #1) id 157fnn-0006xe-00 for krb5-bugs@mit.edu; Wed, 06 Jun 2001 17:04:59 +0100 Received: (from ccsdhd@localhost) by ancho.bath.ac.uk id aa13860 ; 6 Jun 2001 17:04 +0100 Message-Id: <200106061704.aa13860@ancho.bath.ac.uk> Date: Wed, 6 Jun 2001 17:04:58 +0100 (BST) From: Dennis Davis Sender: D.H.Davis@bath.ac.uk Reply-To: Dennis Davis To: krb5-bugs@mit.edu Cc: Dennis Davis Subject: Problems initialising a KerberosV database. X-Send-Pr-Version: 3.99 >Number: 964 >Category: krb5-admin >Synopsis: Problems initialising a KerberosV database. >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Jun 6 12:06:01 EDT 2001 >Last-Modified: >Originator: Dennis Davis >Organization: Bath University Computing Services, UK >Release: krb5-1.2.2 >Environment: System: OpenBSD ancho.bath.ac.uk 2.8 ANCHO#0 i386 >Description: I'm trying to set up krb5-1.2.2 on an OpenBSD2.8 system. I've configured it with: configure --with-cc=cc --with-ccopts=-O2 --prefix=/kerberosV \ --enable-dns-for-realm --with-krb4 \ --with-tcl=/usr/local --enable-shared and, with a slight change to the source, it compiles & installs OK. I have an /etc/krb5.conf of: [libdefaults] clockskew = 300 default_realm = BATH.AC.UK default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc krb4_srvtab = /etc/srvtab krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms [realms] BATH.AC.UK = { kdc = ancho.bath.ac.uk:88 admin_server = ancho.bath.ac.uk:749 default_domain = bath.ac.uk } [domain_realm] .bath.ac.uk = BATH.AC.UK [login] krb5_get_tickets = true krb4_get_tickets = true [kdc] profile = /kerberosV/var/krb5kdc/kdc.conf [logging] kdc = FILE:/kerberosV.logs/krb5kdc.log admin_server = FILE:/kerberosV.logs/kadmin.log default = FILE:/kerberosV.logs/kr5lib.log and a /kerberosV/var/krb5kdc/kdc.conf of: [kdcdefaults] kdc_ports = 88,750 v4_mode = nopreauth [realms] BATH.AC.UK = { database_name = /kerberosV/var/krb5kdc/principal admin_keytab = /kerberosV/var/krb5kdc/kadm5.keytab acl_file = /kerberosV/var/krb5kdc/kadm5.acl dict_file = /kerberosV/var/krb5kdc/kadm5.dict key_stash_file = /kerberosV/var/krb5kdc/.k5.BATH.AC.UK kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 } [logging] kdc = FILE:/kerberosV.logs/krb5kdc.log admin_server = FILE:/kerberosV.logs/kadmin.log default = FILE:/kerberosV.logs/kr5lib.log When I create a fresh database with the above, I get: root) ?// /kerberosV/sbin/kdb5_util create -r BATH.AC.UK -s Initializing database '/kerberosV/var/krb5kdc/principal' for realm 'BATH.AC.UK', master key name 'K/M@BATH.AC.UK' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kdb5_util: No such file or directory while initializing the kerberos context and when I attempt to edit the database using kadmin.local it immediately bombs out: (root) ?// /kerberosV/sbin/kadmin.local Authenticating as principal root/admin@BATH.AC.UK with password. kadmin.local: No such file or directory while initializing kadmin.local interface It seems to me that that there is some confusion here. The machine hasn't recognised that it is the KerberosV server and is expecting to contact one somewhere else. If I change the master_key_type in kdc.conf to des-cbc-crc, everything works a treat: (root) ?// ex kdc.conf kdc.conf: unmodified: line 23 :15p master_key_type = des3-hmac-sha1 :s/des3-hmac-sha1/des-cbc-crc master_key_type = des-cbc-crc :w kdc.conf: 23 lines, 827 characters :q (root) ?// /kerberosV/sbin/kdb5_util create -r BATH.AC.UK -s Initializing database '/kerberosV/var/krb5kdc/principal' for realm 'BATH.AC.UK', master key name 'K/M@BATH.AC.UK' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: (root) ?// /kerberosV/sbin/kadmin.local Authenticating as principal root/admin@BATH.AC.UK with password. kadmin.local: I apologise for the wordiness of the above. I'm trying to explain as clearly as possible what I'm seeing. It's slightly annoying not being able to use des3-hmac-sha1 for the master key. However it's hardly crucial; des-cbc-crc should be good enough especlally as access to the KerberosV server should be physically and computationally restricted. I don't think that this is a problem with the operating system and/or version of gcc. OpenBSD2.8 uses gcc 2.95.3 as its compiler. I get similar problems on a Solaris2.5.1 box using gcc 2.8.1. >How-To-Repeat: See above. >Fix: Use a master key type of des-cbc-crc. >Audit-Trail: >Unformatted: Unable to use a master key type of des3-hmac-sha1.