[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]

To: heimdal-discuss@sics.se
Subject: Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
From: Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Date: Wed, 26 Sep 2007 11:16:53 +0100
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Sender: A O V Le Blanc <zlsiial@afs.mcc.ac.uk>
User-Agent: Mutt/1.5.12-2006-07-14

After solving the original problem, as I reported on September 21
to this list, thanks to Andreas Haupt, I reported some additional
problems. I repeat this message, since I had no response to the
last one.

A second problem I found
is that kadmin no longer works remotely without adding a principal
kadmin/admin, and that was easily done. Then I try to do a list
with kadmin from a remote machine. This fails because

kadmin> list -l zlsiial
admin/admin@ZZZZZZZZZZZ's Password:
kadmin: get zlsiial: Operation requires `get' privilege

although I have

admin/admin all

in the kadmind.acl file on the master server. So this is a problem.
I tried replacing 'all' with 'get' in the kadmind.acl file, but with
the same result.

Moreover, though iprop-master starts without a problem, iprop-slave
refuses to start on the slave servers. On the slave servers themselves
this message appears in the auth.log:

Sep 21 09:02:12 rj4 ipropd-slave[13298]: krb5_get_init_creds: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

and on the master server, this appears in the kdc log:

2007-09-21T09:02:12 AS-REQ iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ from IPv4:000.00.003.00 for iprop/rj1.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
2007-09-21T09:02:12 Looking for PKINIT pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
2007-09-21T09:02:12 Looking for ENC-TS pa-data -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ
2007-09-21T09:02:12 No preauth found, returning PREAUTH-REQUIRED -- iprop/rj4.zzzzzzzzzzzzzzz@ZZZZZZZZZZZ

This means that I cannot get iprop to work at all.

-- Owen

Follow-Ups:
- Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
  - From: Andreas Haupt <andreas.haupt@desy.de>

Prev by Date: Re: Authen::Heimdal & Authen::Heimdal::Admin - rough but working
Next by Date: Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
Prev by thread: Re: PK-Init and proxy certs question
Next by thread: Re: Changes in kdc.conf in from version 0.7.2 to version 1.0.1]
Index(es):
- Date
- Thread