From petals@pandora.petalshome.com Tue Feb 4 15:06:22 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA21989 for <bugs@RT-11.MIT.EDU>; Tue, 4 Feb 1997 15:06:21 -0500
Received: from petals.vip.best.com by MIT.EDU with SMTP
id AA23057; Tue, 4 Feb 97 15:01:40 EST
Received: from gomer.petalshome.com (gomer [192.168.1.66]) by haedes.petalshome.com (8.6.12/8.6.9) with SMTP id LAA03254; Tue, 4 Feb 1997 11:11:25 -0800
Message-Id: <199702041911.LAA03254@haedes.petalshome.com>
Date: Tue, 4 Feb 1997 11:11:30 +0000
From: "Michael Robinton" <petals@girlswear.com>
Reply-To: petals@girlswear.com
To: "Putnam, Dennis" <dputnam@hayes.com>
Cc: kerberos@MIT.EDU, krb5-bugs@MIT.EDU
Subject: RE: 1.0 problems
Comments: Authenticated sender is <petals@pandora>
This is not an upgrade but a clean new install. I do have kpropd.acl
that contains the 3 kdc's
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
When creating krb5.keytab, it is not clear from the documentation if
you
ktadd host/kmaster.domain on each kdc or
ktadd host/khostname.domain on each kdc
e.g. does the local keytab always point to the master kdc or does it
always point to the local kdc?
I also noticed that when adding host principals to the database that
the warning is not given as it is shown in the Install Guide
e.g.
kadmin: addprinc -randkey host/kmaster.domain
[WARNING: blah blah policy] << does not appear it just says
Principal "host/kmaster.domain@DOMAIN" created.
Did you see this also or do I have something broken??
Thanks, Michael
---- it is a couple of hours later, I finally gave up messing around
with the keytab files. Deleting and recreating does not seem to make
a difference. I copied the slave_datatrans file over to kslave2 and
used kdb5_util to load the db manually. I had a suspicion that
something is left out of the install procedure or that what is shown
only works if it is loaded over a previous version. Anyway.... on
attempt to repeat the kprop, now I get a different error message
NOTE:
kprop -f slave_datatrans host/kslave2.petalshome.com
kprop: while setting server principal name
It does not seem to complete, but it is recognizing the destination.
The new message is cryptic enough to be un-intelligible.
I have modified my install script a tad and appended it to the
message at bottom.
Michael
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA21989 for <bugs@RT-11.MIT.EDU>; Tue, 4 Feb 1997 15:06:21 -0500
Received: from petals.vip.best.com by MIT.EDU with SMTP
id AA23057; Tue, 4 Feb 97 15:01:40 EST
Received: from gomer.petalshome.com (gomer [192.168.1.66]) by haedes.petalshome.com (8.6.12/8.6.9) with SMTP id LAA03254; Tue, 4 Feb 1997 11:11:25 -0800
Message-Id: <199702041911.LAA03254@haedes.petalshome.com>
Date: Tue, 4 Feb 1997 11:11:30 +0000
From: "Michael Robinton" <petals@girlswear.com>
Reply-To: petals@girlswear.com
To: "Putnam, Dennis" <dputnam@hayes.com>
Cc: kerberos@MIT.EDU, krb5-bugs@MIT.EDU
Subject: RE: 1.0 problems
Comments: Authenticated sender is <petals@pandora>
Show quoted text
>Number: 365
>Category: krb5-doc
>Synopsis: RE: 1.0 problems
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 04 15:07:01 EST 1997
>Last-Modified: Fri Sep 14 10:27:53 EDT 2001
>Originator: "Michael Robinton" <petals@girlswear.com>
>Organization:
>Release: 1.0
>Environment:
>Description:
Putnam, Dennis" <dputnam@hayes.com> wrote:>Category: krb5-doc
>Synopsis: RE: 1.0 problems
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 04 15:07:01 EST 1997
>Last-Modified: Fri Sep 14 10:27:53 EDT 2001
>Originator: "Michael Robinton" <petals@girlswear.com>
>Organization:
>Release: 1.0
>Environment:
>Description:
Show quoted text
> I didn't see where you created the kpropd.acl file and I assume you
> entered the appropriate lines in /etc/services. I followed the
> installation guide exactly (including using all defaults) and still had
> trouble. I can't explain it but I had to recreate the /etc/krb5.keytab
> file several times before it worked. I think the trick is to set
> everything up according to the guide than before issuing the kprop
> commands erase the existing /etc/krb5.keytab files of the master and
> entered the appropriate lines in /etc/services. I followed the
> installation guide exactly (including using all defaults) and still had
> trouble. I can't explain it but I had to recreate the /etc/krb5.keytab
> file several times before it worked. I think the trick is to set
> everything up according to the guide than before issuing the kprop
> commands erase the existing /etc/krb5.keytab files of the master and
This is not an upgrade but a clean new install. I do have kpropd.acl
that contains the 3 kdc's
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
When creating krb5.keytab, it is not clear from the documentation if
you
ktadd host/kmaster.domain on each kdc or
ktadd host/khostname.domain on each kdc
e.g. does the local keytab always point to the master kdc or does it
always point to the local kdc?
I also noticed that when adding host principals to the database that
the warning is not given as it is shown in the Install Guide
e.g.
kadmin: addprinc -randkey host/kmaster.domain
[WARNING: blah blah policy] << does not appear it just says
Principal "host/kmaster.domain@DOMAIN" created.
Did you see this also or do I have something broken??
Thanks, Michael
---- it is a couple of hours later, I finally gave up messing around
with the keytab files. Deleting and recreating does not seem to make
a difference. I copied the slave_datatrans file over to kslave2 and
used kdb5_util to load the db manually. I had a suspicion that
something is left out of the install procedure or that what is shown
only works if it is loaded over a previous version. Anyway.... on
attempt to repeat the kprop, now I get a different error message
NOTE:
kprop -f slave_datatrans host/kslave2.petalshome.com
kprop: while setting server principal name
It does not seem to complete, but it is recognizing the destination.
The new message is cryptic enough to be un-intelligible.
I have modified my install script a tad and appended it to the
message at bottom.
Michael
Show quoted text
----end new message------
NEW install script:
NOTE: kslave1 has not had kerberos installed yet
-----------------------------------------
logged in as user 'root' on host pandora <<ON KMASTER
domain .petalshome.com 192.168.1.x
kmaster CNAME pandora
kslave2 CNAME wormhole
kslave1 CNAME knothole
--------------/etc/krb5.conf-------------
[libdefaults]
ticket_lifetime = 600
default_realm = PETALSHOME.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
PETALSHOME.COM = {
kdc = kmaster.petalshome.com:88
kdc = kslave1.petalshome.com:88
kdc = kslave2.petalshome.com:88
admin_server = kmaster.petalshome.com:749
default_domain = petalshome.com
}
[domain_realm]
.petalshome.com = PETALSHOME.COM
petalshome.com = PETALSHOME.COM
[logging]
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmin.log
default = FILE:/var/adm/krb5lib.log
-------------------------------------------
-----/usr/local/var/krb5kdc/kdc.conf-------
[kdcdefaults]
kdc_ports = 88,750
[realms]
PETALSHOME.COM = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
dict_file = /usr/local/var/krb5kdc/kadm5.dict
key_stash_file = /usr/local/var/krb5kdc/.k5.PETALSHOME.COM
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal
}
--------------------------------------------
pandora:/# /usr/local/sbin/kdb5_util create -r PETALSHOME.COM -s
Initializing database '/usr/local/var/krb5kdc/principal' for realm
'PETALSHOME.COM', master key name 'K/M@PETALSHOME.COM'
You will beprompted for the database Master Password. It is important that you
NOT FORGET this password. Enter KDC database master key:
Re-enter KDCdatabase master key to verify:
--------------kadm5.acl---------------------
root/admin@PETALSHOME.COM
* root/*@PETALSHOME.COM *
--------------------------------------------
pandora:/# /usr/local/sbin/kadmin.local
kadmin.local: addprinc root/admin@PETALSHOME.COM
Enter password for principal "root/admin@PETALSHOME.COM":
Re-enter password for principal"root/admin@PETALSHOME.COM":
Principal "root/@PETALSHOME.COM" created.
--------------------------------------------------------
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3,
encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to
keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
--------------------------------------------
/usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind
cat /var/adm/k*.log
eb 03 09:56:34 pandora
kadmind[28743](info): starting
Feb 03 09:56:34 pandora
krb5kdc[28741](info): commencing operation
--------------------------------------------
pandora:/usr/local/var/krb5kdc# /usr/local/sbin/kadmin
Enter password:
kadmin: addprinc -randkey host/kmaster.petalshome.com
Principal "host/kmaster.petalshome.com@PETALSHOME.COM" created.
kadmin: addprinc -randkey host/kslave1.petalshome.com Principal
"host/kslave1.petalshome.com@PETALSHOME.COM" created. kadmin:
addprinc -randkey host/kslave2.petalshome.com
Principal"host/kslave2.petalshome.com@PETALSHOME.COM" created.
------------kpropd.acl----------------------
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
-------------------------------------------- kadmin: ktadd
host/kmaster.petalshome.com Entry for principal
host/kmaster.petalshome.com with kvno 3, encryption type DES-CBC-CRC
added to keytab WRFILE:/etc/krb5.keytab.
kadmin: q
--------------------------------------------
at this point the
following files are copied to KSLAVE2
/etc/krb5.conf
/usr/local/var/krb5kdc/kdc.conf
/usr/local/var/krb5kdc/kadm5.acl
/usr/local/var/krb5kdc/kpropd.acl
-----------------------------------
---user 'root' on kslave2 CNAME wormhole---<<<< ON KSLAVE2
kadmin: ktadd host/kslave2.petalshome.com
Entry for principal
host/kslave2.petalshome.com with kvno 3, encryption type DES-CBC-CRC
added to keytab WRFILE:/etc/krb5.keytab.
kadmin: q
--------------------------------------------
---------added to each inetd.conf-----------
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -k -c -e
kill -HUP (pid of inetd all kdc's)
--------------------------------------------
> slave KDC then recreate it on each host. Good luck, it sure frustrated
> me for a while. One other thought, I got into trouble when I followed
> the guide for converting the beta 5 database. Use the -update option on
> the load even if you do not have OpenV*Secure or it will clobber your
> new keys.
>
> me for a while. One other thought, I got into trouble when I followed
> the guide for converting the beta 5 database. Use the -update option on
> the load even if you do not have OpenV*Secure or it will clobber your
> new keys.
>
NEW install script:
NOTE: kslave1 has not had kerberos installed yet
-----------------------------------------
logged in as user 'root' on host pandora <<ON KMASTER
domain .petalshome.com 192.168.1.x
kmaster CNAME pandora
kslave2 CNAME wormhole
kslave1 CNAME knothole
--------------/etc/krb5.conf-------------
[libdefaults]
ticket_lifetime = 600
default_realm = PETALSHOME.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
PETALSHOME.COM = {
kdc = kmaster.petalshome.com:88
kdc = kslave1.petalshome.com:88
kdc = kslave2.petalshome.com:88
admin_server = kmaster.petalshome.com:749
default_domain = petalshome.com
}
[domain_realm]
.petalshome.com = PETALSHOME.COM
petalshome.com = PETALSHOME.COM
[logging]
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmin.log
default = FILE:/var/adm/krb5lib.log
-------------------------------------------
-----/usr/local/var/krb5kdc/kdc.conf-------
[kdcdefaults]
kdc_ports = 88,750
[realms]
PETALSHOME.COM = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
dict_file = /usr/local/var/krb5kdc/kadm5.dict
key_stash_file = /usr/local/var/krb5kdc/.k5.PETALSHOME.COM
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal
}
--------------------------------------------
pandora:/# /usr/local/sbin/kdb5_util create -r PETALSHOME.COM -s
Initializing database '/usr/local/var/krb5kdc/principal' for realm
'PETALSHOME.COM', master key name 'K/M@PETALSHOME.COM'
You will beprompted for the database Master Password. It is important that you
NOT FORGET this password. Enter KDC database master key:
Re-enter KDCdatabase master key to verify:
--------------kadm5.acl---------------------
root/admin@PETALSHOME.COM
* root/*@PETALSHOME.COM *
--------------------------------------------
pandora:/# /usr/local/sbin/kadmin.local
kadmin.local: addprinc root/admin@PETALSHOME.COM
Enter password for principal "root/admin@PETALSHOME.COM":
Re-enter password for principal"root/admin@PETALSHOME.COM":
Principal "root/@PETALSHOME.COM" created.
--------------------------------------------------------
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3,
encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to
keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
--------------------------------------------
/usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind
cat /var/adm/k*.log
eb 03 09:56:34 pandora
kadmind[28743](info): starting
Feb 03 09:56:34 pandora
krb5kdc[28741](info): commencing operation
--------------------------------------------
pandora:/usr/local/var/krb5kdc# /usr/local/sbin/kadmin
Enter password:
kadmin: addprinc -randkey host/kmaster.petalshome.com
Principal "host/kmaster.petalshome.com@PETALSHOME.COM" created.
kadmin: addprinc -randkey host/kslave1.petalshome.com Principal
"host/kslave1.petalshome.com@PETALSHOME.COM" created. kadmin:
addprinc -randkey host/kslave2.petalshome.com
Principal"host/kslave2.petalshome.com@PETALSHOME.COM" created.
------------kpropd.acl----------------------
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
-------------------------------------------- kadmin: ktadd
host/kmaster.petalshome.com Entry for principal
host/kmaster.petalshome.com with kvno 3, encryption type DES-CBC-CRC
added to keytab WRFILE:/etc/krb5.keytab.
kadmin: q
--------------------------------------------
at this point the
following files are copied to KSLAVE2
/etc/krb5.conf
/usr/local/var/krb5kdc/kdc.conf
/usr/local/var/krb5kdc/kadm5.acl
/usr/local/var/krb5kdc/kpropd.acl
-----------------------------------
---user 'root' on kslave2 CNAME wormhole---<<<< ON KSLAVE2
kadmin: ktadd host/kslave2.petalshome.com
Entry for principal
host/kslave2.petalshome.com with kvno 3, encryption type DES-CBC-CRC
added to keytab WRFILE:/etc/krb5.keytab.
kadmin: q
--------------------------------------------
---------added to each inetd.conf-----------
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -k -c -e
kill -HUP (pid of inetd all kdc's)
--------------------------------------------
-------------services lines-----------------
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos-adm 749/udp
krb5_prop 754/tcp # Kerberos slave propagation
eklogin 2105/tcp # Kerberos encrypted rlogin
------------------------------------
---user 'root' on kmaster CNAMEpandora----- <<< ON KMASTER ERROR ERROR
/usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatranskslave2.petalshome.com
/usr/local/sbin/kprop: Client not found in Kerberos database while getting initial ticket
--------------------------------------------
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos-adm 749/udp
krb5_prop 754/tcp # Kerberos slave propagation
eklogin 2105/tcp # Kerberos encrypted rlogin
------------------------------------
---user 'root' on kmaster CNAMEpandora----- <<< ON KMASTER ERROR ERROR
/usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatranskslave2.petalshome.com
/usr/local/sbin/kprop: Client not found in Kerberos database while getting initial ticket
--------------------------------------------
-----just for information------
kadmin: listprincs
kadmin/history@PETALSHOME.COM
K/M@PETALSHOME.COM
krbtgt/PETALSHOME.COM@PETALSHOME.COM
root/admin@PETALSHOME.COM
kadmin/admin@PETALSHOME.COM
kadmin/changepw@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
------------------------------------------
----------------------------------------------------
See Petals' new web page at http://www.girlswear.com
for Pretty little girls wearing
distinctive clothing and accessories
kadmin: listprincs
kadmin/history@PETALSHOME.COM
K/M@PETALSHOME.COM
krbtgt/PETALSHOME.COM@PETALSHOME.COM
root/admin@PETALSHOME.COM
kadmin/admin@PETALSHOME.COM
kadmin/changepw@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
------------------------------------------
----------------------------------------------------
See Petals' new web page at http://www.girlswear.com
for Pretty little girls wearing
distinctive clothing and accessories
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
>Fix:
>Audit-Trail:
>Unformatted: