[1997] in Kerberos-V5-bugs
Re: Kerberos v5b6 problems
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Jun 12 19:46:47 1996
To: Paul Weber <weber@anise.ee.cornell.edu>
Cc: Sam Hartman <hartmans@MIT.EDU>, krb5-bugs@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 12 Jun 1996 19:46:29 -0400
In-Reply-To: Paul Weber's message of Wed, 12 Jun 1996 15:48:06 -0400
>>>>> "Paul" == Paul Weber <weber@anise.ee.cornell.edu> writes:
Paul> Sam Hartman wrote:
>>
Paul> thor(37) > rlogin thor thor.ee.cornell.edu: Connection
Paul> refused rlogin: kcmd to host thor failed - Unknown code ____
Paul> 255 trying normal rlogin (/usr/ucb/rlogin) Last login: Tue
Paul> Jun 11 14:02:22 from THOR.EE.CORNELL. SunOS Release 4.1.4
Paul> (GENERIC) #1: Thu Mar 14 09:50:59 EST 1996
>>
>> Well, what services did you enable in /etc/inetd.conf, and did
>> inetd give errors about them? When you telnet to the klogin and
>> eklogin ports on your machine, what happens.
Paul> No errors inetd
You actually installed things correctly, but you didn't use
the rlogin command correctly. Basically, you only enabled encrypted
rlogin. By default, the rlogin(and rsh) clients do not use
encryption. You need to include the -x option to get this to work.
For example:
/krb5/bin/rlogin thor -x
See below about /etc/v5srvtab if that doesn't work.
Paul> I added klogin and now I get this when I try to rlogin :
Paul> ./appl/bsd/rlogin
Paul> JVdL^/ZME@SgUR^*0&6vl}
Paul> !KZItK.ls1a =66~7(c,gb @W?"}/S[%pN0f/i*
Paul> ]Ka>!&alVyS\AConnection closed.
That looks distinctly like you used the -e flag on the klogin
line. As discussed in the install documentation, the klogind
determins whether it should use encryption based on its command
line. If you run an encrypting klogind (a klogind with the -e option)
on the unencrypted klogin port (klogin instead of eklogin), you will
get similarly garbled results.
Paul> rsh output :
Paul> thor(24) > rsh thor ls -l /
Again, your life should be happy if you add the -x option.
./rsh thor -x ls -l
Paul> telnet info:
Paul> zombie(260) > telnet thor 2105
Paul> Trying 128.84.224.30 ...
Paul> Connected to thor.ee.cornell.edu.
Paul> Escape character is '^]'.
Paul> Connection closed by foreign host.
Paul> zombie(263) > telnet thor 543
Paul> Trying 128.84.224.30 ...
Paul> Connected to thor.ee.cornell.edu.
Paul> Escape character is '^]'.
Paul> Connection closed by foreign host.
This is all good.
Paul> Also, when i run the sclient ans sserver program I get the
Paul> following: thor(12) # sclient thor 906 sendauth rejected,
Paul> error reply is: " Key table entry not found"
>>
Paul> Any ideas?
>>
>> This error indicates that the sample principal is not in the
>> appropriate keytab. How did you create /etc/v5srvtab, and did you
>> include the sample service in it?
Paul> Here are the entryies in my dtatbase :
Paul> kdb5_edit: ldb
Paul> entry: sample/thor.ee.cornell.edu@EE.CORNELL.EDU
Paul> entry: host/thor.ee.cornell.edu@EE.CORNELL.EDU
Paul> entry: krbtgt/EE.CORNELL.EDU@EE.CORNELL.EDU
Paul> entry: weber@EE.CORNELL.EDU
Paul> entry: root@EE.CORNELL.EDU
Paul> entry: K/M@EE.CORNELL.EDU
It is generally not a good idea to have a root Kerberos
principal. Instead, most sites would create webber/root, and add this
principal to /.k5login on all machines. This is a policy issue, but
in general you get better authorization and auditing if you have
several root principals for everyone who needs root.
Paul> I made the V5srctab file by doing the following:
Paul> thor(29) > kdb5_edit
Paul> kdb5_edit: xst thor.ee.cornell.edu sample
Paul> 'sample/thor.ee.cornell.edu@EE.CORNELL.EDU' added to keytab
Paul> 'WRFILE:thor.ee.cornell.edu-new-srvtab'
Unfortunately, this does not include the host key. Instead,
you probably wanted
kdb5_edit: xst thor.ee.cornell.edu host sample
Without the host key in /etc/v5srvtab, rlogin, rsh and ftp
should all fail.
Also, remember to disable the sample server once you get
things runnings.
>>
Paul> OK, I was missing the krb5._adm.acl file. It works now. I will be glad when we have
Paul> better install docs, it would sure help some.
Yes that would be nice. For the last year, we have been
concentrating on getting code that worked better than Beta 5.
Hopefully, documentation will take a higher priority as we approach
the final Kerberos release.
Paul> Paul
Paul> Thanks for your help!! Paul
>>
Paul> --
>>
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paul
Paul> R. Weber ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Computer Operations
Paul> Manager II
>>
Paul> 301 Phillips Hall Electrical Engineering
Paul> Cornell University Ithaca, NY 14853-6401
>>
Paul> E-mail: prw1@cornell.edu Phone: (607)
Paul> 255-1460 Fax: (607) 254-4565
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul> --
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul> Paul R. Weber
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paul> Computer Operations Manager II
Paul> 301 Phillips Hall
Paul> Electrical Engineering
Paul> Cornell University
Paul> Ithaca, NY 14853-6401
Paul> E-mail: prw1@cornell.edu
Paul> Phone: (607) 255-1460
Paul> Fax: (607) 254-4565
Paul> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
