Re: Problem with kpasswd

[Dr A V Le Blanc <LeBlanc@mcc.ac.uk>]

I wrote:
> [realms]
>         man.ac.uk = {
>                 kdc = avl.mcc.ac.uk
>                 admin_server = avl.mcc.ac.uk
>         }
...
> kpasswd: krb5_change_password: Unknown error 4294967288

On Wed, Feb 16, 2000 at 05:33:26PM +0100, Assar Westerlund wrote:
> # define EAI_SERVICE    -8      /* SERVICE not supported for `ai_socktype'.  */
> 
> Which does seem rather bogus to me.  getaddrinfo should get called
> with ai_socktype = 0, hostname `avl.mcc.ac.uk' and port `749'.  But it
> seems that the NRL getaddrinfo() in glibc can't cope with that.  I
> should try to figure out if that's true or bogus.  Meanwhile, you
> should be able to work-around it by specifying:
> 
>         admin_server = udp/avl.mcc.ac.uk

Yes!  kpasswd now works.  So at least we have a work-around.
Thanks very much for this.

I also asked about kadmin, and Assar wrote:
> load and dump only work with local kadmin (`kadmin -l').
> 
> To give out privledges: add stuff similar to this example to
> /var/heimdal/kadmind.acl:
> 
> leblanc/admin@man.ac.uk         all
> 
> This is actually mentioned in the documentation under `Remote
> administration'. :-)

Whoops!  I did read this, but forgot.  But since I tried the
dump and list commands first, I certainly had a bogus problem.

I asked about configuring the kaserver, and Assar wrote:
> you should have in /var/heimdal/kdc.conf:
> 
> [kdc]
>         enable-kaserver = true

I see; there is something about the kdc.conf file in the
supplied manpage for kdc.

With respect to the ka database, Assar wrote:
> No, it's the same database (the heimdal one).  The ka-server database
> is not touched at all by the kdc, just read by hprop.  The kdc serves
> all three of the kerberos 5, kerberos 4, and kaserver protocols from
> the same process and database.

OK.  I think I have enough to go experiment.

With respect to my problems with the change from glibc 2.0 to 2.1,
I wrote:
> [I] had an incidental problem that the
> kdc compiled against the new libraries couldn't read the old
> database.

and Assar wrote:
> I believe they changed db version between 2.0 and 2.1, is that true?

Actually, there were two libdb versions for 2.1, one supposedly
supporting the old format, and one not.  I did try to compile against
the first one, but couldn't get it to work (because of some problem
in the include files).  The later version works perfectly, but
I wasn't aware of the incompatibility in format until Assar pointed
it out.  With respect to backing up the database contents, he wrote;

> `replay_log' is however not as old, stable,
> and reliable as `kadmin -l dump', so I would suggest using that
> instead.  It also has the advantage of being able to read and/or edit
> the contents fairly easy.

Thanks for all the help.

     -- Owen
     LeBlanc@mcc.ac.uk