[36672] in Kerberos
Problems when using kadmin instead of kadmin.local
daemon@ATHENA.MIT.EDU (Marc Richter)
Tue Dec 16 04:16:06 2014
Message-ID: <548FF83C.4030604@marc-richter.info>
Date: Tue, 16 Dec 2014 10:15:40 +0100
From: Marc Richter <mail@marc-richter.info>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="------------080306050700040205060708"
Errors-To: kerberos-bounces@mit.edu
This is a multi-part message in MIME format.
--------------080306050700040205060708
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Hi everyone,
I'm just starting using MIT KRB by working through this book:
http://www.kerberos-buch.de/
I launched two virtual machines on my host to test setting up Kerberos
before installing and using it on the production machine. The machines
both are installed with Debian GNU/Linux 7.7 (wheezy), which comes with
Kerberos 1.10.1(+dfsg-5+deb7u2).
The machine dedicated for becoming the KDC uses IP 10.0.2.50 and has
assigned the DNS deb-krb.example.com (in /etc/hosts of all VMs).
The machine dedicated to be a KRB Client uses IP 10.0.2.51 and has
assigned the DNS deb-cl1.example.com.
There is no Firewall involved on any machine; a port scan using nmap,
from the client to the kdc shows that all necessary ports are open:
root@deb-cl1:~# nmap deb-krb
Starting Nmap 6.00 ( http://nmap.org ) at 2014-12-16 09:26 CET
Nmap scan report for deb-krb (10.0.2.50)
Host is up (0.00014s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
111/tcp open rpcbind
389/tcp open ldap
464/tcp open kpasswd5
636/tcp open ldapssl
749/tcp open kerberos-adm
MAC Address: 08:00:27:84:40:71 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
root@deb-cl1:~#
When I try to issue a ticket from the client, this works:
root@deb-cl1:~# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@deb-cl1:~# kinit
user/admin@EXAMPLE.COM
Password for user/admin@EXAMPLE.COM:
root@deb-cl1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user/admin@EXAMPLE.COM
Valid starting Expires Service principal
16/12/2014 09:31 16/12/2014 19:31 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 17/12/2014 09:31
root@deb-cl1:~#
When I try to use kadmin.local on the KDC, everything is OK, no matter
what I'm trying, it works. Here is an example:
root@deb-krb:/etc# kadmin.local -m -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin@EXAMPLE.COM with password.
Enter KDC database master key:
kadmin.local: get_policy admin
Policy: admin
Maximum password life: 3153600000
Minimum password life: 864000
Minimum password length: 12
Minimum number of password character classes: 3
Number of old keys kept: 10
Reference count: 0
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin.local: quit
root@deb-krb:/etc#
When I try to use kadmin on the KDC or the client, I get strange errors:
root@deb-krb:/etc# kadmin -m -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin@EXAMPLE.COM with password.
Password for user/admin@EXAMPLE.COM:
kadmin: get_policy admin
get_policy: Communication failure with server while retrieving policy
"admin".
kadmin: addpol -maxlife 36500days -minlife 10days -minlength 8
-minclasses 3 -history 10 default
add_policy: Communication failure with server while creating policy
"default".
kadmin: quit
root@deb-krb:/etc#
In /etc/krb5kdc/kadm5.acl, */admin@EXAMPLE.COM is set as full
administration mask:
*/admin *
krbadm@EXAMPLE.COM *
*/admin@EXAMPLE.COM *
*/*@EXAMPLE.COM i
*@EXAMPLE.COM i
admin_server - Logfile contains the following on this:
Dec 16 10:14:06 deb-krb kadmind[3058](Notice): Request: kadm5_init,
user/admin@EXAMPLE.COM, success, client=user/admin@EXAMPLE.COM,
service=kadmin/deb-krb@EXAMPLE.COM, addr=10.0.2.50, vers=3, flavor=6
Dec 16 10:14:12 deb-krb kadmind[3058](Notice): Request:
kadm5_get_policy, admin, success, client=user/admin@EXAMPLE.COM,
service=kadmin/deb-krb@EXAMPLE.COM, addr=10.0.2.50
Dec 16 10:14:12 deb-krb kadmind[3058](Error): WARNING! Unable to send
function results, continuing.
I do not want to make this mail longer as needed - so please find the
following files as attachments instead of inline text:
/etc/krb5.conf
/etc/krb5kdc/kdc.conf
Does anyone have an idea why an administrative principal cannot issue
those commands using kadmin ?
Thanks for your help in advance!
Best regards,
Marc
--------------080306050700040205060708
Content-Type: text/plain; charset=windows-1252;
name="etc_krb5.conf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="etc_krb5.conf"
W2xpYmRlZmF1bHRzXQ0KICAgICAgICBkZWZhdWx0X3JlYWxtID0gRVhBTVBMRS5DT00NCg0K
IyBUaGUgZm9sbG93aW5nIGtyYjUuY29uZiB2YXJpYWJsZXMgYXJlIG9ubHkgZm9yIE1JVCBL
ZXJiZXJvcy4NCiAgICAgICAga3JiNF9jb25maWcgPSAvZXRjL2tyYi5jb25mDQogICAgICAg
IGtyYjRfcmVhbG1zID0gL2V0Yy9rcmIucmVhbG1zDQogICAgICAgIGtkY190aW1lc3luYyA9
IDENCiAgICAgICAgY2NhY2hlX3R5cGUgPSA0DQogICAgICAgIGZvcndhcmRhYmxlID0gdHJ1
ZQ0KICAgICAgICBwcm94aWFibGUgPSB0cnVlDQoNCiMgVGhlIGZvbGxvd2luZyBlbmNyeXB0
aW9uIHR5cGUgc3BlY2lmaWNhdGlvbiB3aWxsIGJlIHVzZWQgYnkgTUlUIEtlcmJlcm9zDQoj
IGlmIHVuY29tbWVudGVkLiAgSW4gZ2VuZXJhbCwgdGhlIGRlZmF1bHRzIGluIHRoZSBNSVQg
S2VyYmVyb3MgY29kZSBhcmUNCiMgY29ycmVjdCBhbmQgb3ZlcnJpZGluZyB0aGVzZSBzcGVj
aWZpY2F0aW9ucyBvbmx5IHNlcnZlcyB0byBkaXNhYmxlIG5ldw0KIyBlbmNyeXB0aW9uIHR5
cGVzIGFzIHRoZXkgYXJlIGFkZGVkLCBjcmVhdGluZyBpbnRlcm9wZXJhYmlsaXR5IHByb2Js
ZW1zLg0KIw0KIyBUaGllIG9ubHkgdGltZSB3aGVuIHlvdSBtaWdodCBuZWVkIHRvIHVuY29t
bWVudCB0aGVzZSBsaW5lcyBhbmQgY2hhbmdlDQojIHRoZSBlbmN0eXBlcyBpcyBpZiB5b3Ug
aGF2ZSBsb2NhbCBzb2Z0d2FyZSB0aGF0IHdpbGwgYnJlYWsgb24gdGlja2V0DQojIGNhY2hl
cyBjb250YWluaW5nIHRpY2tldCBlbmNyeXB0aW9uIHR5cGVzIGl0IGRvZXNuJ3Qga25vdyBh
Ym91dCAoc3VjaCBhcw0KIyBvbGQgdmVyc2lvbnMgb2YgU3VuIEphdmEpLg0KDQojICAgICAg
IGRlZmF1bHRfdGdzX2VuY3R5cGVzID0gZGVzMy1obWFjLXNoYTENCiMgICAgICAgZGVmYXVs
dF90a3RfZW5jdHlwZXMgPSBkZXMzLWhtYWMtc2hhMQ0KIyAgICAgICBwZXJtaXR0ZWRfZW5j
dHlwZXMgPSBkZXMzLWhtYWMtc2hhMQ0KDQojIFRoZSBmb2xsb3dpbmcgbGliZGVmYXVsdHMg
cGFyYW1ldGVycyBhcmUgb25seSBmb3IgSGVpbWRhbCBLZXJiZXJvcy4NCiAgICAgICAgdjRf
aW5zdGFuY2VfcmVzb2x2ZSA9IGZhbHNlDQogICAgICAgIHY0X25hbWVfY29udmVydCA9IHsN
CiAgICAgICAgICAgICAgICBob3N0ID0gew0KICAgICAgICAgICAgICAgICAgICAgICAgcmNt
ZCA9IGhvc3QNCiAgICAgICAgICAgICAgICAgICAgICAgIGZ0cCA9IGZ0cA0KICAgICAgICAg
ICAgICAgIH0NCiAgICAgICAgICAgICAgICBwbGFpbiA9IHsNCiAgICAgICAgICAgICAgICAg
ICAgICAgIHNvbWV0aGluZyA9IHNvbWV0aGluZy1lbHNlDQogICAgICAgICAgICAgICAgfQ0K
ICAgICAgICB9DQogICAgICAgIGZjYy1taXQtdGlja2V0ZmxhZ3MgPSB0cnVlDQoNCltyZWFs
bXNdDQogICAgICAgIEVYQU1QTEUuQ09NID0gew0KICAgICAgICAgICAgICAgIGtkYyA9IGRl
Yi1rcmIuZXhhbXBsZS5jb20NCiAgICAgICAgICAgICAgICBhZG1pbl9zZXJ2ZXIgPSBkZWIt
a3JiLmV4YW1wbGUuY29tDQogICAgICAgIH0NCiAgICAgICAgQVRIRU5BLk1JVC5FRFUgPSB7
DQogICAgICAgICAgICAgICAga2RjID0ga2VyYmVyb3MubWl0LmVkdTo4OA0KICAgICAgICAg
ICAgICAgIGtkYyA9IGtlcmJlcm9zLTEubWl0LmVkdTo4OA0KICAgICAgICAgICAgICAgIGtk
YyA9IGtlcmJlcm9zLTIubWl0LmVkdTo4OA0KICAgICAgICAgICAgICAgIGFkbWluX3NlcnZl
ciA9IGtlcmJlcm9zLm1pdC5lZHUNCiAgICAgICAgICAgICAgICBkZWZhdWx0X2RvbWFpbiA9
IG1pdC5lZHUNCiAgICAgICAgfQ0KICAgICAgICBNRURJQS1MQUIuTUlULkVEVSA9IHsNCiAg
ICAgICAgICAgICAgICBrZGMgPSBrZXJiZXJvcy5tZWRpYS5taXQuZWR1DQogICAgICAgICAg
ICAgICAgYWRtaW5fc2VydmVyID0ga2VyYmVyb3MubWVkaWEubWl0LmVkdQ0KICAgICAgICB9
DQogICAgICAgIFpPTkUuTUlULkVEVSA9IHsNCiAgICAgICAgICAgICAgICBrZGMgPSBjYXNp
by5taXQuZWR1DQogICAgICAgICAgICAgICAga2RjID0gc2Vpa28ubWl0LmVkdQ0KICAgICAg
ICAgICAgICAgIGFkbWluX3NlcnZlciA9IGNhc2lvLm1pdC5lZHUNCiAgICAgICAgfQ0KICAg
ICAgICBNT09GLk1JVC5FRFUgPSB7DQogICAgICAgICAgICAgICAga2RjID0gdGhyZWUtaGVh
ZGVkLWRvZ2Nvdy5taXQuZWR1Ojg4DQogICAgICAgICAgICAgICAga2RjID0gdGhyZWUtaGVh
ZGVkLWRvZ2Nvdy0xLm1pdC5lZHU6ODgNCiAgICAgICAgICAgICAgICBhZG1pbl9zZXJ2ZXIg
PSB0aHJlZS1oZWFkZWQtZG9nY293Lm1pdC5lZHUNCiAgICAgICAgfQ0KICAgICAgICBDU0FJ
TC5NSVQuRURVID0gew0KICAgICAgICAgICAgICAgIGtkYyA9IGtlcmJlcm9zLTEuY3NhaWwu
bWl0LmVkdQ0KICAgICAgICAgICAgICAgIGtkYyA9IGtlcmJlcm9zLTIuY3NhaWwubWl0LmVk
dQ0KICAgICAgICAgICAgICAgIGFkbWluX3NlcnZlciA9IGtlcmJlcm9zLmNzYWlsLm1pdC5l
ZHUNCiAgICAgICAgICAgICAgICBkZWZhdWx0X2RvbWFpbiA9IGNzYWlsLm1pdC5lZHUNCiAg
ICAgICAgICAgICAgICBrcmI1MjRfc2VydmVyID0ga3JiNTI0LmNzYWlsLm1pdC5lZHUNCiAg
ICAgICAgfQ0KICAgICAgICBJSFRGUC5PUkcgPSB7DQogICAgICAgICAgICAgICAga2RjID0g
a2VyYmVyb3MuaWh0ZnAub3JnDQogICAgICAgICAgICAgICAgYWRtaW5fc2VydmVyID0ga2Vy
YmVyb3MuaWh0ZnAub3JnDQogICAgICAgIH0NCiAgICAgICAgR05VLk9SRyA9IHsNCiAgICAg
ICAgICAgICAgICBrZGMgPSBrZXJiZXJvcy5nbnUub3JnDQogICAgICAgICAgICAgICAga2Rj
ID0ga2VyYmVyb3MtMi5nbnUub3JnDQogICAgICAgICAgICAgICAga2RjID0ga2VyYmVyb3Mt
My5nbnUub3JnDQogICAgICAgICAgICAgICAgYWRtaW5fc2VydmVyID0ga2VyYmVyb3MuZ251
Lm9yZw0KICAgICAgICB9DQogICAgICAgIDFUUy5PUkcgPSB7DQogICAgICAgICAgICAgICAg
a2RjID0ga2VyYmVyb3MuMXRzLm9yZw0KICAgICAgICAgICAgICAgIGFkbWluX3NlcnZlciA9
IGtlcmJlcm9zLjF0cy5vcmcNCiAgICAgICAgfQ0KICAgICAgICBHUkFUVUlUT1VTLk9SRyA9
IHsNCiAgICAgICAgICAgICAgICBrZGMgPSBrZXJiZXJvcy5ncmF0dWl0b3VzLm9yZw0KICAg
ICAgICAgICAgICAgIGFkbWluX3NlcnZlciA9IGtlcmJlcm9zLmdyYXR1aXRvdXMub3JnDQog
ICAgICAgIH0NCiAgICAgICAgRE9PTUNPTS5PUkcgPSB7DQogICAgICAgICAgICAgICAga2Rj
ID0ga2VyYmVyb3MuZG9vbWNvbS5vcmcNCiAgICAgICAgICAgICAgICBhZG1pbl9zZXJ2ZXIg
PSBrZXJiZXJvcy5kb29tY29tLm9yZw0KICAgICAgICB9DQogICAgICAgIEFORFJFVy5DTVUu
RURVID0gew0KICAgICAgICAgICAgICAgIGtkYyA9IGtlcmJlcm9zLmFuZHJldy5jbXUuZWR1
DQogICAgICAgICAgICAgICAga2RjID0ga2VyYmVyb3MyLmFuZHJldy5jbXUuZWR1DQogICAg
ICAgICAgICAgICAga2RjID0ga2VyYmVyb3MzLmFuZHJldy5jbXUuZWR1DQogICAgICAgICAg
ICAgICAgYWRtaW5fc2VydmVyID0ga2VyYmVyb3MuYW5kcmV3LmNtdS5lZHUNCiAgICAgICAg
ICAgICAgICBkZWZhdWx0X2RvbWFpbiA9IGFuZHJldy5jbXUuZWR1DQogICAgICAgIH0NCiAg
ICAgICAgQ1MuQ01VLkVEVSA9IHsNCiAgICAgICAgICAgICAgICBrZGMgPSBrZXJiZXJvcy5j
cy5jbXUuZWR1DQogICAgICAgICAgICAgICAga2RjID0ga2VyYmVyb3MtMi5zcnYuY3MuY211
LmVkdQ0KICAgICAgICAgICAgICAgIGFkbWluX3NlcnZlciA9IGtlcmJlcm9zLmNzLmNtdS5l
ZHUNCiAgICAgICAgfQ0KICAgICAgICBERU1FTlRJQS5PUkcgPSB7DQogICAgICAgICAgICAg
ICAga2RjID0ga2VyYmVyb3MuZGVtZW50aXgub3JnDQogICAgICAgICAgICAgICAga2RjID0g
a2VyYmVyb3MyLmRlbWVudGl4Lm9yZw0KICAgICAgICAgICAgICAgIGFkbWluX3NlcnZlciA9
IGtlcmJlcm9zLmRlbWVudGl4Lm9yZw0KICAgICAgICB9DQogICAgICAgIHN0YW5mb3JkLmVk
dSA9IHsNCiAgICAgICAgICAgICAgICBrZGMgPSBrcmI1YXV0aDEuc3RhbmZvcmQuZWR1DQog
ICAgICAgICAgICAgICAga2RjID0ga3JiNWF1dGgyLnN0YW5mb3JkLmVkdQ0KICAgICAgICAg
ICAgICAgIGtkYyA9IGtyYjVhdXRoMy5zdGFuZm9yZC5lZHUNCiAgICAgICAgICAgICAgICBt
YXN0ZXJfa2RjID0ga3JiNWF1dGgxLnN0YW5mb3JkLmVkdQ0KICAgICAgICAgICAgICAgIGFk
bWluX3NlcnZlciA9IGtyYjUtYWRtaW4uc3RhbmZvcmQuZWR1DQogICAgICAgICAgICAgICAg
ZGVmYXVsdF9kb21haW4gPSBzdGFuZm9yZC5lZHUNCiAgICAgICAgfQ0KICAgICAgICBVVE9S
T05UTy5DQSA9IHsNCiAgICAgICAgICAgICAgICBrZGMgPSBrZXJiZXJvczEudXRvcm9udG8u
Y2ENCiAgICAgICAgICAgICAgICBrZGMgPSBrZXJiZXJvczIudXRvcm9udG8uY2ENCiAgICAg
ICAgICAgICAgICBrZGMgPSBrZXJiZXJvczMudXRvcm9udG8uY2ENCiAgICAgICAgICAgICAg
ICBhZG1pbl9zZXJ2ZXIgPSBrZXJiZXJvczEudXRvcm9udG8uY2ENCiAgICAgICAgICAgICAg
ICBkZWZhdWx0X2RvbWFpbiA9IHV0b3JvbnRvLmNhDQogICAgICAgIH0NCg0KW2RvbWFpbl9y
ZWFsbV0NCiAgICAgICAgLm1pdC5lZHUgPSBBVEhFTkEuTUlULkVEVQ0KICAgICAgICBtaXQu
ZWR1ID0gQVRIRU5BLk1JVC5FRFUNCiAgICAgICAgLm1lZGlhLm1pdC5lZHUgPSBNRURJQS1M
QUIuTUlULkVEVQ0KICAgICAgICBtZWRpYS5taXQuZWR1ID0gTUVESUEtTEFCLk1JVC5FRFUN
CiAgICAgICAgLmNzYWlsLm1pdC5lZHUgPSBDU0FJTC5NSVQuRURVDQogICAgICAgIGNzYWls
Lm1pdC5lZHUgPSBDU0FJTC5NSVQuRURVDQogICAgICAgIC53aG9pLmVkdSA9IEFUSEVOQS5N
SVQuRURVDQogICAgICAgIHdob2kuZWR1ID0gQVRIRU5BLk1JVC5FRFUNCiAgICAgICAgLnN0
YW5mb3JkLmVkdSA9IHN0YW5mb3JkLmVkdQ0KICAgICAgICAuc2xhYy5zdGFuZm9yZC5lZHUg
PSBTTEFDLlNUQU5GT1JELkVEVQ0KICAgICAgICAudG9yb250by5lZHUgPSBVVE9ST05UTy5D
QQ0KICAgICAgICAudXRvcm9udG8uY2EgPSBVVE9ST05UTy5DQQ0KICAgICAgICBleGFtcGxl
LmNvbSA9IEVYQU1QTEUuQ09NDQogICAgICAgIC5leGFtcGxlLmNvbSA9IEVYQU1QTEUuQ09N
DQoNCltsb2dpbl0NCiAgICAgICAga3JiNF9jb252ZXJ0ID0gdHJ1ZQ0KICAgICAgICBrcmI0
X2dldF90aWNrZXRzID0gZmFsc2UNCg==
--------------080306050700040205060708
Content-Type: text/plain; charset=windows-1252;
name="etc_krb5kdc_kdc.conf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="etc_krb5kdc_kdc.conf"
W2tkY2RlZmF1bHRzXQ0KICAgICNrZGNfcG9ydHMgPSA3NTAsODgNCiAgICBrZGNfcG9ydHMg
PSA4OA0KICAgIGtkY190Y3BfcG9ydHMgPSA4OA0KDQpbcmVhbG1zXQ0KICAgIEVYQU1QTEUu
Q09NID0gew0KICAgICAgICBkYXRhYmFzZV9uYW1lID0gL3Zhci9saWIva3JiNWtkYy9wcmlu
Y2lwYWwNCiAgICAgICAgYWRtaW5fa2V5dGFiID0gRklMRTovZXRjL2tyYjVrZGMva2FkbTUu
a2V5dGFiDQogICAgICAgIGFjbF9maWxlID0gL2V0Yy9rcmI1a2RjL2thZG01LmFjbA0KICAg
ICAgICAja2V5X3N0YXNoX2ZpbGUgPSAvZXRjL2tyYjVrZGMvc3Rhc2gNCiAgICAgICAgI2tk
Y19wb3J0cyA9IDc1MCw4OA0KICAgICAgICBtYXhfbGlmZSA9IDEwaCAwbSAwcw0KICAgICAg
ICBtYXhfcmVuZXdhYmxlX2xpZmUgPSA3ZCAwaCAwbSAwcw0KICAgICAgICAjbWFzdGVyX2tl
eV90eXBlID0gZGVzMy1obWFjLXNoYTENCiAgICAgICAgbWFzdGVyX2tleV90eXBlID0gYWVz
MjU2LWN0cw0KICAgICAgICAjc3VwcG9ydGVkX2VuY3R5cGVzID0gYWVzMjU2LWN0czpub3Jt
YWwgYXJjZm91ci1obWFjOm5vcm1hbCBkZXMzLWhtYWMtc2hhMTpub3JtYWwgZGVzLWNiYy1j
cmM6bm9ybWFsIGRlczpub3JtYWwgZGVzOnY0IGRlczpub3JlYWxtIGRlczpvbmx5cmVhbG0g
ZGVzOmFmczMNCiAgICAgICAgc3VwcG9ydGVkX2VuY3R5cGVzID0gYWVzMjU2LWN0czpub3Jt
YWwgYXJjZm91ci1obWFjOm5vcm1hbCBkZXMzLWhtYWMtc2hhMTpub3JtYWwNCiAgICAgICAg
ZGVmYXVsdF9wcmluY2lwYWxfZmxhZ3MgPSArcHJlYXV0aA0KICAgIH0NCg0KW2xvZ2dpbmdd
DQogICAga2RjID0gRklMRTovdmFyL2xvZy9rZGMubG9nDQogICAgYWRtaW5fc2VydmVyID0g
RklMRTovdmFyL2xvZy9rcmJfYWRtaW5fc2VydmVyLmxvZw0K
--------------080306050700040205060708
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--------------080306050700040205060708--
