kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'
bohongdxl@gmail.com
bohongdxl at gmail.com
Sun Jun 11 15:27:51 EDT 2006
Thanks,
The configuration files are as follows: (I have replaced my real
realm with 'MY.REALM.COM', and my real domain with 'realm.com').
thanks.
krb5.conf
---------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.REALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MY.REALM.COM = {
kdc = MY.REALM.COM:88
admin_server = MY.REALM.COM:749
default_domain = realm.com
}
[domain_realm]
.realm.com = MY.REALM.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------------------
kdc.conf
---------------------------------------
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
MY.REALM.COM = {
#master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
}
---------------------------------------
kadmin5.acl has just one line
---------------------------------------
*/admin at MY.REALM.COM *
---------------------------------------
Sensei wrote:
> On 2006-06-11 04:27:25 +0200, bohongdxl at gmail.com said:
>
> > Hello,
> >
> > I tried to install Kerberos on my small systems and have got
> > limited success.
> >
> > krb5kdc and kadmind are installed on an Intel Xeon box running
> > 65-bit Ferora core 5. Firewall is enabled on this machine, with port 88
> > and 749 accepting incoming packets. DNS is also working properly.
> >
> > kdc5.conf
>
> So, I suppose you have enabled TCP/UDP ports.
>
> > On this computer, when I use kadmin.local to add/delete/modify the
> > principals, everything works fine. When I use kadmin, I can pass the
> > authentication and run some of the commands but 'cpw' will fail. Here
> > is what I got: (mara is the computer)
>
> The kadmin.local is somewhat different from others, you want your users
> to change their passwords, and possibly use kadmin on any client just
> for system administration without involving a root login.
>
> > [root at mara myusr]# kinit admin/admin
> > Password for admin/admin at MY.REALM.COM: <password typed>
> > [root at mara myusr]# klist
> > Ticket cache: FILE:/tmp/krb5cc_500_bYyQI13791
> > Default principal: admin/admin at MY.REALM.COM
> >
> > Valid starting Expires Service principal
> > 06/10/06 21:38:30 06/11/06 21:38:30 krbtgt/MY.REALM.COM at MY.REALM.COM
> >
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
>
> Good for you.
>
> > [root at mara myusr]# kadmin
> > Authenticating as principal admin/admin at MY.REALM.COM with password.
> > Password for admin/admin at MY.REALM.COM: <password typed>
> > kadmin: list_principals
> > K/M at MY.REALM.COM
> > admin/admin at MY.REALM.COM
> > myusr at MY.REALM.COM
> > kadmin/admin at MY.REALM.COM
> > kadmin/changepw at MY.REALM.COM
> > kadmin/history at MY.REALM.COM
> > kadmin/MY.REALM.COM at MY.REALM.COM
> > krbtgt/MY.REALM.COM at MY.REALM.COM
> > kadmin: cpw myusr
> > Enter password for principal "myusr":
> > Re-enter password for principal "myusr":
> > change_password: Unknown code kdb5 21 while changing password for
> > "myusr at MY.REALM.COM".
> > kadmin: exit
> > [root at mara myusr]#
>
> Bad for you.
>
> > When I do the same list of commands (kinit, klist, kadmin - cpw) from a
> > remote machine, the same 'Unknown code kdb5 21' happens.
> >
> > What's more interesting is that kerberos itself is doing authentication
> > properly. I set up the sshd on the computer 'mara' to use kerberos, and
> > I can ssh into 'mara' as 'myusr' using its kerberos password.
> >
> > Can anyone give me an insight?
>
> Well, you gave us just the very beginning of the needed informations.
> For a complete diagnosis, post your
>
> krb5.conf
> kdc.conf
> kadm5.acl
>
> > [myusr at mara ~]$ kinit myusr
> > Password for myusr at MY.REALM.COM:
> > [myusr at mara ~]$ kpasswd
> > Password for myusr at MY.REALM.COM:
> > Enter new password:
> > Enter it again:
> > Server error: Password not changed.
> > Insufficient access to lock database while trying to change password.
> >
> > [myusr at mara ~]$
> > ==============================================
> >
> > Interestingly, when I do kpasswd from a remote mache, I don't get the
> > 'Insufficient access' error. Instead, I got a different error:
> > "kpasswd: Connection timed out changing password"
> >
> > In any case, if a user cannot execute kpasswd, it's almost impractical
> > to use kerberos.
> >
> > I tend to believe that something is wrong with my kerberos setup. It's
> > strange because II followed the introduction in www.linux.com/howtos/
> > Kerberos-Infrastructure-HOWTO/index.shtml Besides, I can already run
> > ssh with kerberos authentication.
> >
> > Any insight would be greatly appreciated. thanks in advance.
>
> Check the ACLs, and post the configuration files for your realm.
>
> --
> Sensei <senseiwa at mac.com>
>
> The optimist thinks this is the best of all possible worlds.
> The pessimist fears it is true. [J. Robert Oppenheimer]
More information about the Kerberos
mailing list