[3079] in Kerberos-V5-bugs
krb5-admin/720: krb5-admin
daemon@ATHENA.MIT.EDU (hugh@opo.usp.ac.fj)
Sun Jun 6 19:55:16 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, anderson@manu.usp.ac.fj
Message-Id: <19990606235403.2585744.qmail@opo.usp.ac.fj>
Date: Sun, 06 Jun 1999 23:54:03 +0000
From: hugh@opo.usp.ac.fj
Reply-To: anderson@manu.usp.ac.fj
To: krb5-bugs@MIT.EDU
>Number: 720
>Category: krb5-admin
>Synopsis: First install - can't set up correctly?
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bjaspan
>State: open
>Class: support
>Submitter-Id: unknown
>Arrival-Date: Sun Jun 06 19:55:01 EDT 1999
>Last-Modified:
>Originator: Hugh Anderson
>Organization:
University of the South Pacific
Suva, Fiji Islands
>Release: krb5-1.0.5
>Environment:
O2, IRIX 6.5, IRIX 6.5
System: IRIX opo 6.5 05190004 IP32
>Description:
I am new to kerberos, so I may just have a configuration problem...
The compile and install proceeded without varying from the documentation,
- My intent is to demonstrate kerberos for a post-graduate class this
semester.
I am unable to access the services - when I try to connect to
telnet (for example) I get messages like this:
opo 117% /usr/local/bin/telnet -r -a -x -f opo 5555
Trying 255.255.255.255...
Connected to opo.usp.ac.fj (255.255.255.255).
Escape character is '^]'.
Waiting for encryption to be negotiated...[ Kerberos V5 accepts you as ``hugh@MACS.USP.AC.FJ'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
telnetd: Authorization failed.
Connection closed by foreign host.
opo 118%
We only have a few UNIX machines at USP, so I am using opo both as the
master KDC and as client and server machines. There are no slave KDCs
>How-To-Repeat:
The KDC is installed on machine opo.usp.ac.fj, with the following config
files:
==================/etc/krb5.conf
[libdefaults]
default_realm = MACS.USP.AC.FJ
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
MACS.USP.AC.FJ = {
kdc = opo.usp.ac.fj:88
kdc = opo.usp.ac.fj
admin_server = opo.usp.ac.fj
default_domain = USP.AC.FJ
}
[domain_realm]
.usp.ac.fj = MACS.USP.AC.FJ
usp.ac.fj = MACS.USP.AC.FJ
[logging]
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmin.log
default = FILE:/var/adm/krb5lib.log
==================/usr/local/var/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
MACS.USP.AC.FJ = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.MACS.USP.AC.FJ
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:no
realm des:onlyrealm des:afs3
}
=================
I have installed telnetd at a high numbered port for testing:
ktelnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a valid
=================
And I have an entry for telnet access from opo.usp.ac.fj
opo 50# /usr/local/sbin/kadmin.local
kadmin.local: listprincs
K/M@MACS.USP.AC.FJ
kadmin/admin@MACS.USP.AC.FJ
hugh@MACS.USP.AC.FJ
kadmin/changepw@MACS.USP.AC.FJ
admin/admin@MACS.USP.AC.FJ
host/opo.usp.ac.fj@MACS.USP.AC.FJ
host/manu.usp.ac.fj@MACS.USP.AC.FJ
kadmin/history@MACS.USP.AC.FJ
krbtgt/MACS.USP.AC.FJ@MACS.USP.AC.FJ
kadmin.local:
==================
When I attempt to telnet I get the following
opo 117% /usr/local/bin/telnet -r -a -x -f opo 5555
Trying 255.255.255.255...
Connected to opo.usp.ac.fj (255.255.255.255).
Escape character is '^]'.
Waiting for encryption to be negotiated...[ Kerberos V5 accepts you as ``hugh@MACS.USP.AC.FJ'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
telnetd: Authorization failed.
Connection closed by foreign host.
opo 118% klist
Ticket cache: /tmp/krb5cc_100
Default principal: hugh@MACS.USP.AC.FJ
Valid starting Expires Service principal
07 Jun 99 10:15:42 07 Jun 99 20:15:40 krbtgt/MACS.USP.AC.FJ@MACS.USP.AC.FJ
07 Jun 99 10:15:48 07 Jun 99 20:15:40 host/opo.usp.ac.fj@MACS.USP.AC.FJ
opo 119%
===============
I am a little uneasy about the 255.255.255.255 address that telnet
mentions.... opo's IP address is 144.120.8.248
I have tried to join the kerberos mailing list without success.
Cheers Hugh
>Fix:
>Audit-Trail:
>Unformatted:
