[3219] in Kerberos-V5-bugs
krb5-admin/964: Problems initialising a KerberosV database.
daemon@ATHENA.MIT.EDU (Dennis Davis)
Wed Jun 6 12:06:13 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, Dennis Davis <D.H.Davis@bath.ac.uk>
Message-Id: <200106061704.aa13860@ancho.bath.ac.uk>
Date: Wed, 6 Jun 2001 17:04:58 +0100 (BST)
From: Dennis Davis <D.H.Davis@bath.ac.uk>
Reply-To: Dennis Davis <D.H.Davis@bath.ac.uk>
To: krb5-bugs@mit.edu
Cc: Dennis Davis <D.H.Davis@bath.ac.uk>
>Number: 964
>Category: krb5-admin
>Synopsis: Problems initialising a KerberosV database.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jun 6 12:06:01 EDT 2001
>Last-Modified:
>Originator: Dennis Davis
>Organization:
Bath University Computing Services, UK
>Release: krb5-1.2.2
>Environment:
System: OpenBSD ancho.bath.ac.uk 2.8 ANCHO#0 i386
>Description:
I'm trying to set up krb5-1.2.2 on an OpenBSD2.8 system. I've
configured it with:
configure --with-cc=cc --with-ccopts=-O2 --prefix=/kerberosV \
--enable-dns-for-realm --with-krb4 \
--with-tcl=/usr/local --enable-shared
and, with a slight change to the source, it compiles & installs OK.
I have an /etc/krb5.conf of:
[libdefaults]
clockskew = 300
default_realm = BATH.AC.UK
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
krb4_srvtab = /etc/srvtab
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
[realms]
BATH.AC.UK = {
kdc = ancho.bath.ac.uk:88
admin_server = ancho.bath.ac.uk:749
default_domain = bath.ac.uk
}
[domain_realm]
.bath.ac.uk = BATH.AC.UK
[login]
krb5_get_tickets = true
krb4_get_tickets = true
[kdc]
profile = /kerberosV/var/krb5kdc/kdc.conf
[logging]
kdc = FILE:/kerberosV.logs/krb5kdc.log
admin_server = FILE:/kerberosV.logs/kadmin.log
default = FILE:/kerberosV.logs/kr5lib.log
and a /kerberosV/var/krb5kdc/kdc.conf of:
[kdcdefaults]
kdc_ports = 88,750
v4_mode = nopreauth
[realms]
BATH.AC.UK = {
database_name = /kerberosV/var/krb5kdc/principal
admin_keytab = /kerberosV/var/krb5kdc/kadm5.keytab
acl_file = /kerberosV/var/krb5kdc/kadm5.acl
dict_file = /kerberosV/var/krb5kdc/kadm5.dict
key_stash_file = /kerberosV/var/krb5kdc/.k5.BATH.AC.UK
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
}
[logging]
kdc = FILE:/kerberosV.logs/krb5kdc.log
admin_server = FILE:/kerberosV.logs/kadmin.log
default = FILE:/kerberosV.logs/kr5lib.log
When I create a fresh database with the above, I get:
root) ?// /kerberosV/sbin/kdb5_util create -r BATH.AC.UK -s
Initializing database '/kerberosV/var/krb5kdc/principal' for realm 'BATH.AC.UK',
master key name 'K/M@BATH.AC.UK'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: No such file or directory while initializing the kerberos context
and when I attempt to edit the database using kadmin.local it
immediately bombs out:
(root) ?// /kerberosV/sbin/kadmin.local
Authenticating as principal root/admin@BATH.AC.UK with password.
kadmin.local: No such file or directory while initializing kadmin.local interface
It seems to me that that there is some confusion here. The machine
hasn't recognised that it is the KerberosV server and is expecting
to contact one somewhere else. If I change the master_key_type in
kdc.conf to des-cbc-crc, everything works a treat:
(root) ?// ex kdc.conf
kdc.conf: unmodified: line 23
:15p
master_key_type = des3-hmac-sha1
:s/des3-hmac-sha1/des-cbc-crc
master_key_type = des-cbc-crc
:w
kdc.conf: 23 lines, 827 characters
:q
(root) ?// /kerberosV/sbin/kdb5_util create -r BATH.AC.UK -s
Initializing database '/kerberosV/var/krb5kdc/principal' for realm 'BATH.AC.UK',
master key name 'K/M@BATH.AC.UK'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
(root) ?// /kerberosV/sbin/kadmin.local
Authenticating as principal root/admin@BATH.AC.UK with password.
kadmin.local:
I apologise for the wordiness of the above. I'm trying to explain
as clearly as possible what I'm seeing. It's slightly annoying
not being able to use des3-hmac-sha1 for the master key. However
it's hardly crucial; des-cbc-crc should be good enough especlally
as access to the KerberosV server should be physically and
computationally restricted.
I don't think that this is a problem with the operating system
and/or version of gcc. OpenBSD2.8 uses gcc 2.95.3 as its compiler.
I get similar problems on a Solaris2.5.1 box using gcc 2.8.1.
>How-To-Repeat:
See above.
>Fix:
Use a master key type of des-cbc-crc.
>Audit-Trail:
>Unformatted:
Unable to use a master key type of des3-hmac-sha1.
