[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote kadmin not working on 0.7.2



Tried deleting the aes enctypes for hotz/admin and kadmin/admin.   
Same problem.

2006-02-27T12:58:24 AS-REQ hotz/admin@JPL.NASA.GOV from  
IPv4:128.149.197.37 for kadmin/admin@JPL.NASA.GOV
2006-02-27T12:58:24 Using des3-cbc-sha1/des3-cbc-sha1
2006-02-27T12:58:24 Requested flags: renewable
2006-02-27T12:58:24 sending 659 bytes to IPv4:128.149.197.37
-- and --
2006-02-27T12:58:24 krb5_recvauth: End of file
-- and --
kadmin> get hotz
hotz/admin@JPL.NASA.GOV's Password:
kadmin: get hotz: Server rejected authentication (during sendauth  
exchange)
kadmin>
---

Heimdal built with "OpenSSL 0.9.8a 11 Oct 2005".
[kadmin] and [password_quality] sections are in /etc/krb5.conf.

I can't see how it would matter, but I have AFS on the servers, but  
it's pointing at production, not the local test Heimdal servers.  I  
did have a token reject message show up in the middle of one of these  
trials when I had just gotten an invalid token as a side effect of a  
Heimdal kinit.

On Feb 27, 2006, at 10:57 AM, Henry B. Hotz wrote:

> I'm probably missing something obvious, (and probably it's  
> something I haven't thought to list here) but this isn't working:
>
> Client side:
> # /usr/heimdal/sbin/kadmin -p hotz
> kadmin> get hotz
> hotz@JPL.NASA.GOV's Password:
> kadmin: get hotz: Server rejected authentication (during sendauth  
> exchange)
> ---
> Server side kadmin.log:
> 2006-02-27T10:41:14 krb5_recvauth: End of file
> ---
> Server side kdc.log:
> 2006-02-27T10:41:14 AS-REQ hotz@JPL.NASA.GOV from  
> IPv4:128.149.197.37 for kadmin/admin@JPL.NASA.GOV
> 2006-02-27T10:41:14 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac- 
> sha1-96
> 2006-02-27T10:41:14 Requested flags: renewable
> 2006-02-27T10:41:14 sending 649 bytes to IPv4:128.149.197.37
> ---
> # kdc.conf
> [kdc]
>         database = {
>                 realm = JPL.NASA.GOV
>                 mkey_file = /nobackup/m_key
>         }
>         kdc_warn_pwexpire = 1mo
>         require-preauth = false
>         enable-kerberos4 = true
>         v4-realm = JPL.NASA.GOV
>         enable-524 = true
>         enable-http = false
>         enable-kaserver = true
>         check-ticket-addresses = false
>         allow-null-ticket-addresses = true
> ---
> # fgrep hotz kadmind.acl
> hotz@JPL.NASA.GOV       get,list
> hotz/admin@JPL.NASA.GOV all
> ---
>
> I have snoops that prove the client is talking to the test server,  
> not the production, even though they have the same realm name.  I  
> get the same result with an encrypted vice decrypted master  
> database (which caused something similar for me on 0.6.3 once).
> ---------------------------------------------------------------------- 
> ------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>