Kerberos initialisation error - Kerberos

This is a discussion on Kerberos initialisation error - Kerberos ; Hi, I need to use Kerberos to authenticate users for squid via samba. My /etc/hosts is as follows: ============================================ 127.0.0.1 localhost localhost.localdomain localhost 127.0.1.1 iqBase iqBase.iqetd.lan 192.168.60.254 iqBase.iqetd.lan # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos initialisation error

  1. Kerberos initialisation error

    Hi,

    I need to use Kerberos to authenticate users for squid via samba.

    My /etc/hosts is as follows:
    ============================================
    127.0.0.1 localhost
    localhost.localdomain localhost
    127.0.1.1 iqBase iqBase.iqetd.lan
    192.168.60.254 iqBase.iqetd.lan

    # The following lines are desirable for IPv6 capable hosts
    ::1 ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts
    ============================================

    My /etc/krb5.conf
    ============================================
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    ticket_lifetime = 24000
    default_realm = IQETD.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = false

    [realms]
    IQETD.LAN = {
    kdc = 192.168.60.254:88
    admin_server = 192.168.60.254:749
    default_domain = IQETD.LAN
    }

    [domain_realm]
    .iqetd.lan = IQETD.LAN
    iqetd.lan = IQETD.LAN

    [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }
    ============================================

    when I start /etc/init.d/krb5-admin-server restart

    I get:
    # /etc/init.d/krb5-admin-server restart
    * Restarting Kerberos administrative servers kadmind
    kadmind: Improper format of Kerberos
    configuration file while initializing context, aborting

    I am using Ubuntu 7.10 server.

    Any assistance would be very welcome.

    Thank you

    Dave Coventry

  2. Re: Kerberos initialisation error

    Okay, /etc/krb5kdc/kdc.conf had to be edited as below:

    ++++++++++++++++++/etc/krb5kdc/kdc.conf+++++++++++++++++++++
    [kdcdefaults]
    kdc_ports = 750,88

    [realms]
    IQETD.LAN = {
    database_name = /var/lib/krb5kdc/principal
    admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
    acl_file = /etc/krb5kdc/kadm5.acl
    key_stash_file = /etc/krb5kdc/stash
    kdc_ports = 750,88
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    master_key_type = des3-hmac-sha1
    supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    des:norma$
    default_principal_flags = +preauth
    }
    +++++++++++++++ end of /etc/krb5kdc/kdc.conf++++++++++++++
    Also I had to run "krb5_newrealm" to initialise the KDC database.

    This give the following useful tips:

    ++++++++++++++++++++++++++++++++++++++++++++++++++
    # krb5_newrealm
    This script should be run on the master KDC/admin server to initialize
    a Kerberos realm. It will ask you to type in a master key password.
    This password will be used to generate a key that is stored in
    /etc/krb5kdc/stash. You should try to remember this password, but it
    is much more important that it be a strong password than that it be
    remembered. However, if you lose the password and /etc/krb5kdc/stash,
    you cannot decrypt your Kerberos database.
    Loading random data
    Initializing database '/var/lib/krb5kdc/principal' for realm
    'IQETD.LAN',
    master key name 'K/M@IQETD.LAN'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key:
    Re-enter KDC database master key to verify:


    Now that your realm is set up you may wish to create an administrative
    principal using the addprinc subcommand of the kadmin.local program.
    Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
    you can use the kadmin program on other computers. Kerberos admin
    principals usually belong to a single user and end in /admin. For
    example, if jruser is a Kerberos administrator, then in addition to
    the normal jruser principal, a jruser/admin principal should be
    created.

    Don't forget to set up DNS information so your clients can find your
    KDC and admin servers. Doing so is documented in the administration
    guide.
    ++++++++++++++++++++++++++++++++++++++++++++++++++

+ Reply to Thread