[24428] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Problem with libkadm5clnt.so after upgrade to 1.4.1

daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Aug 8 15:10:31 2005

To: Utente amministrativo <admin@betty.dei.unipd.it>
From: Tom Yu <tlyu@mit.edu>
Date: Mon, 08 Aug 2005 15:09:37 -0400
In-Reply-To: <20050802113308.GA26818@betty.dei.unipd.it> (Utente
 amministrativo's message of "Tue, 2 Aug 2005 13:33:08 +0200")
Message-ID: <ldv3bpki6tq.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

>>>>> "admin" == Utente amministrativo <admin@betty.dei.unipd.it> writes:

admin> we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1 
admin> my scripts for users creation/change don't work anymore.
admin> They are based on 'kadmin' utility or perl module Authen::Krb5::Admin 
admin> for remote management on the kerberos and LDAP db.
admin> As user/admin@REALM I am used to do only
admin> 'kinit user/admin@REALM' 
admin> to grant me LDAP and KERBEROS admin access.
admin> All scripts then use the KRB5CCNAME file.
admin> Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
admin> refuse to try to use existing krbtgt/REALM@REALM to get the mandatory 
admin> kadmin/krbserver.domain@REALM service ticket.

Could you please quote the exact error you get?

admin> If I do a 'kinit -s kadmin/admin user/admin' it works but
admin> then I can't use that service ticket to access LDAP.

I believe that using "kinit -s kadmin/admin user/admin" is the only
way that's documented to work.  

admin> Replacing libkadm5clnt.so with previuos 1.4 version fixes it
admin> and after a run of init_with_creds my cache file correctly contains:
admin> 08/02/05 12:56:20  08/03/05 12:56:20  krbtgt/REALM@REALM
admin> 08/02/05 12:56:28  08/03/05 12:56:20  kadmin/krbserver.domain@REALM
admin> 08/02/05 12:56:28  08/03/05 12:56:20  ldap/krbserver.domain@REALM

Your ability to get a kadmin/krbserver.domain@REALM ticket using a TGT
indicates that your kadmin/krbserver.domain principal doesn't have the
DISALLOW_TGT_BASED flag set, which should typically be the case for
kadmin-related principals.

---Tom
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post