Re: kinit problem - Kerberos

This is a discussion on Re: kinit problem - Kerberos ; Hi Scanell, Thanks for your reply. Actually that what i wanted to hear about solaris and the binaries. But i got a major problem the kadmind on execution is giving the following: Bus Error (core dumped) how can i solve ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Re: kinit problem

  1. Re: kinit problem

    Hi Scanell,

    Thanks for your reply. Actually that what i wanted to hear about solaris and the binaries. But i got a major problem the kadmind on execution is giving the following:
    Bus Error (core dumped)
    how can i solve that.

    One more question.. My application needs to use kerberos for authentication but what i am getting in the logs is the following:
    javax.security.auth.login.LoginException: Client not found in Kerberos database

    and when i use kadmin -p user
    it's prompting the following:
    Enter Password:
    kadmin: Communication failure with server while initializing kadmin interface

    Can you please guide me?

    Thanks,
    Scotty

    scanell wrote: One additional comment about Solaris Kerberos...

    Solaris Kerberos creates the database into the /var/krb5 directory.
    Further, the config files are located in /etc/krb5.

    The user kerberos commands are /usr/bin while the system Kerberos commands are found in /usr/sbin.

    You'll find the binaries for Solaris Kerberos in /usr/lib/krb5... things like kpropd for receiving propagated
    master DB contents to slaves, kadmind for remote management of the master server which is also responsible
    for receiving password changes, and krb5kdc, the interface for the clients into the Kerberos DB for authentication.

    Steve

    scotty adams wrote:

    Hi Jeffrey,

    I am following the guide that you have passed me.

    I am stuck at this stage:
    Building Within a Single Tree If you don't want separate build trees for each architecture, then use the following abbreviated procedure.

    cd /u1/krb5-1.6/src
    ./configure
    make
    after i ran the configure how can i run the make?



    Jeffrey Altman wrote: scotty adams wrote:


    Hi Christopher,

    I am following some white papers that i found on the net to set kerberos. I used the following command to create the database:


    /usr/sbin/kdb5_util create -r SCOTTY.COM -s

    yet i cant see the cache file.. moreover the rest of the white papers arent
    leading me to any correct solutions.

    I need to enable kerberos 5 on my solaris machine.
    Pls advise me how to proceed.

    Many thanks,
    Scotty



    I suggest you read the installation guide, user guide, and admin guide
    from the distribution:

    http://web.mit.edu/kerberos/krb5-1.6/#documentation What the kdb5_util create command does is create a Kerberos Database for the purpose of establishing a new Kerberos realm This database is the back-end for the Key Distribution Center. This is the Kerberos service that authenticates users and issues tickets for accessing services. A credential cache is not located on the KDC. A credential cache is located on the client machine and is created only after a user performs an initial authentication against the KDC and receives back a Ticket Granting Ticket. Jeffrey Altman Secure Endpoints Inc. --------------------------------- Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    Stephen E. Canell
    Sr Engineer, UNIX System Administrator
    Institutional Business Systems
    Jet Propulsion Laboratory
    4800 Oak Grove Drive
    Pasadena, Calif. 91109
    Office: (818) 354-1731
    Cell: (818) 653-8303




    ---------------------------------
    Finding fabulous fares is fun.
    Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kinit problem

    On Tue, Feb 06, 2007 at 09:48:53PM -0800, scotty adams wrote:
    > Hi Scanell,
    >
    > Thanks for your reply. Actually that what i wanted to hear about solaris and the binaries. But i got a major problem the kadmind on execution is giving the following:


    A number of versions of Solaris support kerberos natively. You can read
    about Kerberos configuration here:
    http://docs.sun.com/app/docs/doc/816...aosrjk5?a=view

    Or go to docs.sun.com and find this path:
    Solaris 10 System Administrator Collection >> System Administration
    Guide: Security Services >> Kerberos Service

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. kadmin problem

    Hi all,

    I am getting the following error

    bash-2.05# kadmin -p scotty
    Enter Password:
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

    in the /var/krb5/kdc.log file i get the following

    Feb 10 13:12:18 scotty krb5kdc[17623](info): AS_REQ 192.168.1.12(88): ISSUE: authtime 1171120338, scotty@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.company.com@SCOTTIE.COMPANY.COM

    can anyone help me make this work out?

    Thanks,
    Scotty


    ---------------------------------
    Want to start your own business? Learn how on Yahoo! Small Business.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: kadmin problem

    I tried the following:

    bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com
    Enter Password:
    kadmin: Incorrect password while initializing kadmin interface

    even the password that i used is surely correct!!!

    Please point me out to these two errors.

    Regards,
    Scotty

    scotty adams wrote: Hi all,

    I am getting the following error

    bash-2.05# kadmin -p scotty
    Enter Password:
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

    in the /var/krb5/kdc.log file i get the following

    Feb 10 13:12:18 scotty krb5kdc[17623](info): AS_REQ 192.168.1.12(88): ISSUE: authtime 1171120338, scotty@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.company.com@SCOTTIE.COMPANY.COM

    can anyone help me make this work out?

    Thanks,
    Scotty


    ---------------------------------
    Want to start your own business? Learn how on Yahoo! Small Business.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ---------------------------------
    Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: kadmin problem

    >bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com
    >Enter Password:
    >kadmin: Incorrect password while initializing kadmin interface


    Well, you definately don't want to use -p kadmin/scottie.beruit.navlink.com,
    that's a password you don't know.

    ># kadmin -p scotty
    >Enter Password:
    >kadmin: GSS-API (or Kerberos) error while initializing kadmin interface


    This is the real problem. Unfortunately, the "real" error is hidden when
    using kadmin ... which always struck me as an amazingly poor design.

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: kadmin problem

    hey, what about the time delta?
    Please check the time delta between ur client & server should not be more
    than 5 mins.If it is so, then change the time on client & re-try.

    (If the server and client are both on same m/c then in that case, plz ignore
    this mail.)

    Regards,
    Rathor
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: kadmin problem

    Hi,

    This is what i am getting after all

    bash-2.05# kadmin scotty
    Enter Password:
    Enter Password:
    kadmin: Preauthentication failed while initializing kadmin interface

    kdc.log shows:

    Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88): PREAUTH_FAILED: scotty/admin@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM, Preauthentication failed

    Any help on this ... appreciated

    Thanks,
    scotty

    scotty adams wrote: I tried the following:

    bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com
    Enter Password:
    kadmin: Incorrect password while initializing kadmin interface

    even the password that i used is surely correct!!!

    Please point me out to these two errors.

    Regards,
    Scotty

    scotty adams wrote: Hi all,

    I am getting the following error

    bash-2.05# kadmin -p scotty
    Enter Password:
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

    in the /var/krb5/kdc.log file i get the following

    Feb 10 13:12:18 scotty krb5kdc[17623](info): AS_REQ 192.168.1.12(88): ISSUE: authtime 1171120338, scotty@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.company.com@SCOTTIE.COMPANY.COM

    can anyone help me make this work out?

    Thanks,
    Scotty


    ---------------------------------
    Want to start your own business? Learn how on Yahoo! Small Business.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ---------------------------------
    Need a quick answer? Get one in minutes from people who know. Ask your question on Yahoo! Answers.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ---------------------------------
    Get your own web address.
    Have a HUGE year through Yahoo! Small Business.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: kadmin problem

    scotty adams wrote:
    > This is what i am getting after all
    >
    > bash-2.05# kadmin scotty
    > Enter Password:
    > Enter Password:
    > kadmin: Preauthentication failed while initializing kadmin interface


    Preauth failed is usally a "wrong password" message.

    Can you kinit scotty ?

    <

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: kadmin problem

    scotty adams writes:
    > Hi,
    >
    > This is what i am getting after all
    >
    > bash-2.05# kadmin scotty
    > Enter Password:
    > Enter Password:
    > kadmin: Preauthentication failed while initializing kadmin interface
    >
    > kdc.log shows:
    >
    > Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88): PREAUTH_FAILED: scotty/admin@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM, Preauthentication failed
    >
    > Any help on this ... appreciated
    >
    > Thanks,
    > scotty
    >
    > scotty adams wrote: I tried the following:
    >
    > bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com
    > Enter Password:
    > kadmin: Incorrect password while initializing kadmin interface
    >
    > even the password that i used is surely correct!!!
    >
    > Please point me out to these two errors.
    >
    > Regards,
    > Scotty


    "Preauthentication failed" probably doesn't mean your password
    is incorrect. At least, in my test environment, I get
    "Incorrect password" if I botch the password with preauth turned on.
    The first thing I would look at with that is to see if
    time is sync'd up. The 2nd thing I'd try is to see if it works
    if REQUIRES_PRE_AUTH is turned off on the principal.

    When you're getting messages like these--"preauth failed" or "bad pw",
    that's not a kadm5 problem, that's a krb5 problem. You can separate
    out and simplify your problem by trying kinit and kvno first.
    When you get those to work, then you can fool around with kadmin.

    For these experiments, you may need to set password or examine
    what's in the kdb. On your kdc, as root, run
    kadmin.local
    then you can do things like
    getprinc
    listprincs
    cpw
    xst
    etc. Use all but the last liberally. Use the last only when you
    intend to replace a keytab that you are convinced is broken.

    Below, see scotty.scottie.navlink.com . Use what you really
    have - is that really your admin_server host?
    If that is, you should probably have something like:
    [libdefaults]
    default_realm = SCOTTIE.COMPANY.COM
    [realms]
    SCOTTIE.COMPANY.COM = {
    kdc = scotty.scottie.navlink.com:88
    master_kdc = scotty.scottie.navlink.com:88
    admin_server = scotty.scottie.navlink.com:749
    }
    [domain_realms]
    .navlink.com = SCOTTIE.COMPANY.COM
    in your krb5.conf file, plus at least a local dns environment
    where a lookup of scotty.scottie.navlink.com goes to the right thing,
    and a reverse arpa lookup of the ipaddress also points back
    at the same name.

    So, the commands you should get working are
    (client machine):
    ping -s scotty.scottie.navlink.com
    ^C
    kinit scotty@SCOTTIE.COMPANY.COM
    kinit scotty/admin@SCOTTIE.COMPANY.COM
    kvno kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM
    ?? kvno kadmin/scottie.beirut.navlink.com@@SCOTTIE.COMPANY.COM
    klist -fean
    (on the kdc):
    cd (wherever you keey kadm5.keytab, which might be named in kdc.conf):
    klist -ket kadm5.keytab
    kinit -kt kadm5.keytab kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM
    klist -fean
    kadmin.local
    getprinc kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM
    ?? getprinc kadmin/scottie.beirut.navlink.com@SCOTTIE.COMPANY.COM
    getprinc scotty@SCOTTIE.COMPANY.COM
    getprinc scotty/admin@SCOTTIE.COMPANY.COM

    the ping proves dns & network routing work; check the ip address.
    the 1st 2 kinit's prove you can authenticate.
    the kvno proves you can get a service ticket
    The kdc kinit proves that you have a working keytab on that
    machine. Note various etypes & kvno's in output: make sure they're
    consistent.

    If you can't get the kinit commands to work, you can look
    at the actual network traffic to see what is really going on.
    Check out
    http://lists.openafs.org/pipermail/o...ch/021789.html
    You may also be able to use ethereal, see http://www.ethereal.com/
    a solaris 9 package might be here:
    http://www.sunfreeware.com/programlistintel9.html

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: kadmin problem

    Hi Marcus,

    it seems that i can't even kinit over scotty

    bash-2.05# kinit scotty
    Password for scotty@SCOTTIE.COMPANY.COM:
    kinit: Preauthentication failed while getting initial credentials

    same error as that of kadmin

    How can i turn off REQUIRES_PRE_AUTH on the principal?

    Thanks,
    Scotty


    Marcus Watts wrote: scotty adams writes:
    > Hi,
    >
    > This is what i am getting after all
    >
    > bash-2.05# kadmin scotty
    > Enter Password:
    > Enter Password:
    > kadmin: Preauthentication failed while initializing kadmin interface
    >
    > kdc.log shows:
    >
    > Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88): PREAUTH_FAILED: scotty/admin@SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM, Preauthentication failed
    >
    > Any help on this ... appreciated
    >
    > Thanks,
    > scotty
    >
    > scotty adams wrote: I tried the following:
    >
    > bash-2.05# kadmin -p kadmin/scottie.company.com
    > Enter Password:
    > kadmin: Incorrect password while initializing kadmin interface
    >
    > even the password that i used is surely correct!!!
    >
    > Please point me out to these two errors.
    >
    > Regards,
    > Scotty


    "Preauthentication failed" probably doesn't mean your password
    is incorrect. At least, in my test environment, I get
    "Incorrect password" if I botch the password with preauth turned on.
    The first thing I would look at with that is to see if
    time is sync'd up. The 2nd thing I'd try is to see if it works
    if REQUIRES_PRE_AUTH is turned off on the principal.

    When you're getting messages like these--"preauth failed" or "bad pw",
    that's not a kadm5 problem, that's a krb5 problem. You can separate
    out and simplify your problem by trying kinit and kvno first.
    When you get those to work, then you can fool around with kadmin.

    For these experiments, you may need to set password or examine
    what's in the kdb. On your kdc, as root, run
    kadmin.local
    then you can do things like
    getprinc
    listprincs
    cpw
    xst
    etc. Use all but the last liberally. Use the last only when you
    intend to replace a keytab that you are convinced is broken.

    Below, see scotty.scottie.company.com . Use what you really
    have - is that really your admin_server host?
    If that is, you should probably have something like:
    [libdefaults]
    default_realm = SCOTTIE.COMPANY.COM
    [realms]
    SCOTTIE.COMPANY.COM = {
    kdc = scotty.scottie.company.com:88
    master_kdc = scotty.scottie.company.com:88
    admin_server = scotty.scottie.company.com:749
    }
    [domain_realms]
    .navlink.com = SCOTTIE.COMPANY.COM
    in your krb5.conf file, plus at least a local dns environment
    where a lookup of scotty.scottie.company.com goes to the right thing,
    and a reverse arpa lookup of the ipaddress also points back
    at the same name.

    So, the commands you should get working are
    (client machine):
    ping -s scotty.scottie.company.com
    ^C
    kinit scotty@SCOTTIE.COMPANY.COM
    kinit scotty/admin@SCOTTIE.COMPANY.COM
    kvno kadmin/scotty.scottie.company.com@SCOTTIE.COMPANY.COM
    ?? kvno kadmin/scottie.beirut.company.com@@SCOTTIE.COMPANY.COM
    klist -fean
    (on the kdc):
    cd (wherever you keey kadm5.keytab, which might be named in kdc.conf):
    klist -ket kadm5.keytab
    kinit -kt kadm5.keytab kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM
    klist -fean
    kadmin.local
    getprinc kadmin/scotty.scottie.navlink.com@SCOTTIE.COMPANY.COM
    ?? getprinc kadmin/scottie.beirut.navlink.com@SCOTTIE.COMPANY.COM
    getprinc scotty@SCOTTIE.COMPANY.COM
    getprinc scotty/admin@SCOTTIE.COMPANY.COM

    the ping proves dns & network routing work; check the ip address.
    the 1st 2 kinit's prove you can authenticate.
    the kvno proves you can get a service ticket
    The kdc kinit proves that you have a working keytab on that
    machine. Note various etypes & kvno's in output: make sure they're
    consistent.

    If you can't get the kinit commands to work, you can look
    at the actual network traffic to see what is really going on.
    Check out
    http://lists.openafs.org/pipermail/o...ch/021789.html
    You may also be able to use ethereal, see http://www.ethereal.com/
    a solaris 9 package might be here:
    http://www.sunfreeware.com/programlistintel9.html

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ---------------------------------
    Bored stiff? Loosen up...
    Download and play hundreds of games for free on Yahoo! Games.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: kadmin problem

    scotty adams writes:
    > Hi Marcus,
    >
    > it seems that i can't even kinit over scotty
    >
    > bash-2.05# kinit scotty
    > Password for scotty@SCOTTIE.COMPANY.COM:
    > kinit: Preauthentication failed while getting initial credentials
    >
    > same error as that of kadmin
    >
    > How can i turn off REQUIRES_PRE_AUTH on the principal?
    >
    > Thanks,
    > Scotty


    Good. Now you have a much simpler problem to solve.

    Since you don't yet have kadmin working, you'll need
    to use kadmin.local. When run (as root) on the kdc
    (with the right configuration) it will access the database
    directly and does not need any credentials. So,

    (on the kdc):
    kadmin.local
    -- to set the bit,
    modprinc +requires_preauth
    -- to clear the bit,
    modprinc -requires_preauth
    -- to see the bit
    getprinc
    -- to see what else you can set
    modprinc
    -- to see what else you can do
    lr

    You should also have a large pile of kerberos 5 documentation
    that explains this and much much more. If you haven't got
    this, you really should dig it up. If you have got it, but
    it doesn't explain things like this adequately, you should let
    your vendor know where and how the documentation can be improved.

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. Re: kadmin problem

    hi,

    after i modified the principal using modprinc -requires_preauth

    kinit scotty
    kinit: Password incorrect

    Why!!!



    Marcus Watts wrote: scotty adams writes:
    > Hi Marcus,
    >
    > it seems that i can't even kinit over scotty
    >
    > bash-2.05# kinit scotty
    > Password for scotty@SCOTTIE.COMPANY.COM:
    > kinit: Preauthentication failed while getting initial credentials
    >
    > same error as that of kadmin
    >
    > How can i turn off REQUIRES_PRE_AUTH on the principal?
    >
    > Thanks,
    > Scotty


    Good. Now you have a much simpler problem to solve.

    Since you don't yet have kadmin working, you'll need
    to use kadmin.local. When run (as root) on the kdc
    (with the right configuration) it will access the database
    directly and does not need any credentials. So,

    (on the kdc):
    kadmin.local
    -- to set the bit,
    modprinc +requires_preauth
    -- to clear the bit,
    modprinc -requires_preauth
    -- to see the bit
    getprinc
    -- to see what else you can set
    modprinc
    -- to see what else you can do
    lr

    You should also have a large pile of kerberos 5 documentation
    that explains this and much much more. If you haven't got
    this, you really should dig it up. If you have got it, but
    it doesn't explain things like this adequately, you should let
    your vendor know where and how the documentation can be improved.

    -Marcus Watts



    ---------------------------------
    Now that's room service! Choose from over 150,000 hotels
    in 45,000 destinations on Yahoo! Travel to find your fit.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  13. Re: kadmin problem

    scotty adams writes:
    > hi,
    >
    > after i modified the principal using modprinc -requires_preauth
    >
    > kinit scotty
    > kinit: Password incorrect
    >
    > Why!!!


    I don't know. Could be lots and lots of things. For instance:
    /1/ password *is* incorrect.
    /2/ operator error -- caps lock, leading or
    trailing space, non-ascii character, etc.
    /3/ replication problem.
    /4/ software or hardware glitch on kdc
    /5/ software or hardware glitch on client
    /6/ invalid kdc configuration or other operator error on kdc.
    /7/ dns returns wrong server.
    first thing I'd try is cpw. If cpw can be used to set a password
    that then works, that eliminates many of these cases.

    Check also replication (if you have a slave site), logs, configuration, etc.

    If cpw doesn't work, then you're likely going to have to resort to gdb,
    strace,tcpdump, or ddb,truss,snoop, like various people have
    stated in previous messages.

    -Marcus
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  14. Re: kadmin problem

    Hi Marcus,

    When i use



    Then try to kinit
    it prompts incorrect password
    then i should change the password so that it works, but i guess upon changing the password
    the princ is being modified again... thus i guess that the
    -requires_preauth isnt set anymore...
    Can you please advise me how to make this work since kdc.log is still showing Preauthentication failed

    Thanks,
    Scotty




    Marcus Watts wrote: scotty adams writes:
    > Hi Marcus,
    >
    > it seems that i can't even kinit over scotty
    >
    > bash-2.05# kinit scotty
    > Password for scotty@SCOTTIE.COMPANY.COM:
    > kinit: Preauthentication failed while getting initial credentials
    >
    > same error as that of kadmin
    >
    > How can i turn off REQUIRES_PRE_AUTH on the principal?
    >
    > Thanks,
    > Scotty


    Good. Now you have a much simpler problem to solve.

    Since you don't yet have kadmin working, you'll need
    to use kadmin.local. When run (as root) on the kdc
    (with the right configuration) it will access the database
    directly and does not need any credentials. So,

    (on the kdc):
    kadmin.local
    -- to set the bit,
    modprinc +requires_preauth
    -- to clear the bit,
    modprinc -requires_preauth
    -- to see the bit
    getprinc
    -- to see what else you can set
    modprinc
    -- to see what else you can do
    lr

    You should also have a large pile of kerberos 5 documentation
    that explains this and much much more. If you haven't got
    this, you really should dig it up. If you have got it, but
    it doesn't explain things like this adequately, you should let
    your vendor know where and how the documentation can be improved.

    -Marcus Watts



    ---------------------------------
    Want to start your own business? Learn how on Yahoo! Small Business.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  15. Re: kadmin problem

    > Hi Marcus,
    >
    > When i use
    >
    >
    >
    > Then try to kinit
    > it prompts incorrect password
    > then i should change the password so that it works, but i guess upon changing the password
    > the princ is being modified again... thus i guess that the
    > -requires_preauth isnt set anymore...
    > Can you please advise me how to make this work since kdc.log is still showing Preauthentication failed
    >
    > Thanks,
    > Scotty


    cpw should not change REQUIRES_PRE_AUTH .

    When you do "getprinc", is that bit set?

    If it is, you should figure out what's happening between modprinc and
    the database. modprinc should be able to turn that bit off. If you
    can't get modprinc to turn that bit off, then your copy of kadmin.local
    is doing odd stuff. It might be gdb time, if you have source to
    whatever you're running.

    If it's not set, and you still get "preauthentication failed" in the
    log, then perhaps your kdc & your kadmin.local aren't seeing the same
    database. This would be hard to do, but not impossible; you can use
    "lsof" on your running kdc & kadmin.local to see what they're each
    looking at. You might try restarting things if they're looking at
    different stuff. Another possibility is that your kinit binary is
    trying to initiate preauth. This can be best diagnosed by analyzing
    the packet traffic; see previous mail for how to do that. Otherwise
    your kdc has very odd ideas about what to do with what's in the
    database. It might be gdb time, if you have source to whatever you're
    running. Knowing what's in the packet traffic will help focus your
    gdb efforts; you'll want to pay particular attention to the padata
    elements.

    Two other things you could try:

    Pick an unused principal name, do "ank -randkey " followed
    by "cpw ". That should create a principal that does not
    have REQUIRES_PRE_AUTH set, even if your kdc.conf requires that preauth
    be turned on.

    Edit ... kdc.conf and see if there are lines that read
    "default_principal_flags = +preauth" or some such. If you see these,
    comment them out, stop & start all k5 services, & retry what you did.

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  16. Re: kadmin problem

    Hi marcus,

    My getprinc for HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTIE.COMPANY.COM

    kadmin.local: getprinc HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTY.COMPANY.COM
    Principal: HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTIE.COMPANY.COM
    Expiration date: [never]
    Last password change: Sun Feb 18 10:00:03 GMT 2007
    Password expiration date: [none]
    Maximum ticket life: 24855 days 03:14:07
    Maximum renewable life: 24855 days 03:14:07
    Last modified: Sun Feb 18 10:00:03 GMT 2007 (HTTP/admin@BEIRUT.NAVLINK.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 1
    Key: vno 6, DES cbc mode with CRC-32, no salt
    Attributes:
    Policy: [none]

    So can you please tell me where to find whether preauth has been turned off?

    Thanks,
    Scotty


    Marcus Watts wrote: > Hi Marcus,
    >
    > When i use
    >
    >
    >
    > Then try to kinit
    > it prompts incorrect password
    > then i should change the password so that it works, but i guess upon changing the password
    > the princ is being modified again... thus i guess that the
    > -requires_preauth isnt set anymore...
    > Can you please advise me how to make this work since kdc.log is still showing Preauthentication failed
    >
    > Thanks,
    > Scotty


    cpw should not change REQUIRES_PRE_AUTH .

    When you do "getprinc", is that bit set?

    If it is, you should figure out what's happening between modprinc and
    the database. modprinc should be able to turn that bit off. If you
    can't get modprinc to turn that bit off, then your copy of kadmin.local
    is doing odd stuff. It might be gdb time, if you have source to
    whatever you're running.

    If it's not set, and you still get "preauthentication failed" in the
    log, then perhaps your kdc & your kadmin.local aren't seeing the same
    database. This would be hard to do, but not impossible; you can use
    "lsof" on your running kdc & kadmin.local to see what they're each
    looking at. You might try restarting things if they're looking at
    different stuff. Another possibility is that your kinit binary is
    trying to initiate preauth. This can be best diagnosed by analyzing
    the packet traffic; see previous mail for how to do that. Otherwise
    your kdc has very odd ideas about what to do with what's in the
    database. It might be gdb time, if you have source to whatever you're
    running. Knowing what's in the packet traffic will help focus your
    gdb efforts; you'll want to pay particular attention to the padata
    elements.

    Two other things you could try:

    Pick an unused principal name, do "ank -randkey
    " followed
    by "cpw
    ". That should create a principal that does not
    have REQUIRES_PRE_AUTH set, even if your kdc.conf requires that preauth
    be turned on.

    Edit ... kdc.conf and see if there are lines that read
    "default_principal_flags = +preauth" or some such. If you see these,
    comment them out, stop & start all k5 services, & retry what you did.

    -Marcus Watts





    ---------------------------------
    Access over 1 million songs - Yahoo! Music Unlimited.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  17. Re: kadmin problem

    > Hi marcus,
    >
    > My getprinc for HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTIE.COMPANY.COM
    >
    > kadmin.local: getprinc HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTY.COMPANY.COM
    > Principal: HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTIE.COMPANY.COM
    > Expiration date: [never]
    > Last password change: Sun Feb 18 10:00:03 GMT 2007
    > Password expiration date: [none]
    > Maximum ticket life: 24855 days 03:14:07
    > Maximum renewable life: 24855 days 03:14:07
    > Last modified: Sun Feb 18 10:00:03 GMT 2007 (HTTP/admin@BEIRUT.NAVLINK.COM)
    > Last successful authentication: [never]
    > Last failed authentication: [never]
    > Failed password attempts: 0
    > Number of keys: 1
    > Key: vno 6, DES cbc mode with CRC-32, no salt
    > Attributes:
    > Policy: [none]
    >
    > So can you please tell me where to find whether preauth has been turned off?


    Your principal does NOT show "Attributes: REQUIRES_PRE_AUTH", so the
    preauth bit is not turned on.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  18. Re: kadmin problem

    Scotty & Dan wrote:
    ....
    > > Hi marcus,
    > >
    > > My getprinc for HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTIE.COMPANY.COM
    > >
    > > kadmin.local: getprinc HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTY.COMPANY.COM
    > > Principal: HTTP/scotty.SCOTTIE.COMPANY.COM@SCOTTIE.COMPANY.COM
    > > Expiration date: [never]
    > > Last password change: Sun Feb 18 10:00:03 GMT 2007
    > > Password expiration date: [none]
    > > Maximum ticket life: 24855 days 03:14:07
    > > Maximum renewable life: 24855 days 03:14:07
    > > Last modified: Sun Feb 18 10:00:03 GMT 2007 (HTTP/admin@BEIRUT.NAVLINK.COM)
    > > Last successful authentication: [never]
    > > Last failed authentication: [never]
    > > Failed password attempts: 0
    > > Number of keys: 1
    > > Key: vno 6, DES cbc mode with CRC-32, no salt
    > > Attributes:
    > > Policy: [none]
    > >
    > > So can you please tell me where to find whether preauth has been turned off?

    >
    > Your principal does NOT show "Attributes: REQUIRES_PRE_AUTH", so the
    > preauth bit is not turned on.
    >


    Yup. On the other hand, it shows 2 realms: SCOTTY.COMPANY.COM
    and BEIRUT.NAVLINK.COM . If this isn't intentional, you
    may want to make this not be true. Once you've resolved that,
    if that doesn't fix the "preauth failed" problem you should proceed
    as I described previously. Also, your principal name has mixed
    case in it. That won't cause problems directly, but I don't
    know if you have something that depends on being able to create
    such names. So beware: for much of kerberos, uc != lc.

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread