[24428] in Kerberos
Re: Problem with libkadm5clnt.so after upgrade to 1.4.1
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Aug 8 15:10:31 2005
To: Utente amministrativo <admin@betty.dei.unipd.it>
From: Tom Yu <tlyu@mit.edu>
Date: Mon, 08 Aug 2005 15:09:37 -0400
In-Reply-To: <20050802113308.GA26818@betty.dei.unipd.it> (Utente
amministrativo's message of "Tue, 2 Aug 2005 13:33:08 +0200")
Message-ID: <ldv3bpki6tq.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
>>>>> "admin" == Utente amministrativo <admin@betty.dei.unipd.it> writes:
admin> we use LDAP+KERBEROS and after upgrading from 1.4 to 1.4.1
admin> my scripts for users creation/change don't work anymore.
admin> They are based on 'kadmin' utility or perl module Authen::Krb5::Admin
admin> for remote management on the kerberos and LDAP db.
admin> As user/admin@REALM I am used to do only
admin> 'kinit user/admin@REALM'
admin> to grant me LDAP and KERBEROS admin access.
admin> All scripts then use the KRB5CCNAME file.
admin> Symptoms are that 'kadmin -c $KRB5CCNAME -q ...' or Authen::Krb5::Admin->init_with_creds
admin> refuse to try to use existing krbtgt/REALM@REALM to get the mandatory
admin> kadmin/krbserver.domain@REALM service ticket.
Could you please quote the exact error you get?
admin> If I do a 'kinit -s kadmin/admin user/admin' it works but
admin> then I can't use that service ticket to access LDAP.
I believe that using "kinit -s kadmin/admin user/admin" is the only
way that's documented to work.
admin> Replacing libkadm5clnt.so with previuos 1.4 version fixes it
admin> and after a run of init_with_creds my cache file correctly contains:
admin> 08/02/05 12:56:20 08/03/05 12:56:20 krbtgt/REALM@REALM
admin> 08/02/05 12:56:28 08/03/05 12:56:20 kadmin/krbserver.domain@REALM
admin> 08/02/05 12:56:28 08/03/05 12:56:20 ldap/krbserver.domain@REALM
Your ability to get a kadmin/krbserver.domain@REALM ticket using a TGT
indicates that your kadmin/krbserver.domain principal doesn't have the
DISALLOW_TGT_BASED flag set, which should typically be the case for
kadmin-related principals.
---Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos