[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: =?GB2312?B?u9i4tKO6IFJlOiC72Li0o7ogUmU6IGtlcmJlcm9zIHNldHVwLA==?==?GB2312?B?IGJhc2ljIHF1ZXN0aW9ucw==?=
I do believe that starting the kadmind in step 3 (or at least before
step 5) would help.
/JockeF
王玥 wrote:
> Hi,Harald. Thanks for your advice and it helped me
> much more.
>
> I think there are serveral problems in my deploying
> heimdal. So maybe i should post my deploying heimdal
> in details.
>
> My environment: there are 2 vmware pc, one works as
> kdc and server(heimdal's telnetd) named
> kerberosKDC(192.168.0.30) and another works as client
> named kerberosC(192.168.0.3). Both vm pc has FC8 as
> OS. The heimdal version is 1.1.
>
> 1. Both kerberosKDC and kerberosC share the same
> /etc/krb5.conf like this:
>
> [root@kerberosC ~]# more /etc/krb5.conf
> [libdefaults]
> default_realm = WEDGIE.ORG
>
> [realms]
> WEDGIE.ORG = {
> kdc = 192.168.0.30
> admin_server = 192.168.0.30
> }
>
> [domain_realm]
> .wedgie.org = WEDGIE.ORG
>
>
> 2. on kerberosKDC, initialized as following:
>
> [root@kerberosKDC sbin]# ./kstash
> Master key:
> Verifying - Master key:
> kstash: writing key to `/var/heimdal/m-key'
>
> [root@kerberosKDC sbin]# ./kadmin -l
> kadmin> init WEDGIE.ORG
> Realm max ticket life [unlimited]:
> Realm max renewable ticket life [unlimited]:
>
> kadmin> list *
> default
> kadmin/admin
> kadmin/hprop
> kadmin/changepw
> krbtgt/WEDGIE.ORG
> changepw/kerberos
>
> kadmin> add jdoe/admin@WEDGIE.ORG
> Max ticket life [1 day]:
> Max renewable life [1 week]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> jdoe/admin@WEDGIE.ORG's Password:
> Verifying - jdoe/admin@WEDGIE.ORG's Password:
>
>
> 3. start the kdc on kerberosKDC, and the heimdal's
> telnetd has already started by xinetd.
>
> [root@kerberosKDC sbin]# /usr/heimdal/libexec/kdc &
> [1] 3091
>
>
> 4. kerberosC get TGT:
>
> [root@kerberosC ~]# /usr/heimdal/bin/kinit jdoe/admin
> jdoe/admin@WEDGIE.ORG's Password:
> [root@kerberosC ~]# /usr/heimdal/bin/klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: jdoe/admin@WEDGIE.ORG
>
> Issued Expires Principal
> Jul 2 18:20:01 Jul 3 04:19:21
> krbtgt/WEDGIE.ORG@WEDGIE.ORG
>
>
> 5. create a principal and makes krb5.keytab on
> kerberosKDC
> kadmin> add -r host/kerberosKDC.WEDGIE.ORG
> kadmin: connect(192.168.0.30): Connection refused
> kadmin: failed to contact 192.168.0.30
> Max ticket life [unlimited]:
> Max renewable life [unlimited]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> kadmin: connect(192.168.0.30): Connection refused
> kadmin: failed to contact 192.168.0.30
> kadmin: kadm5_create_principal: Operation failed for
> unspecified reason
> kadmin: adding host/kerberosKDC.WEDGIE.ORG: Operation
> failed for unspecified reason
>
>
> The message "connect(192.168.0.30): Connection
> refused" may be because "host name resolving" as you
> pointed. But my /etc/hosts are as following:
> kerberosKDC:
> [root@kerberosKDC sbin]# more /etc/hosts
> # Do not remove the following line, or various
> programs
> # that require network functionality will fail.
> 127.0.0.1 localhost loopback
> ::1 localhost6.localdomain6 localhost6
> 192.168.0.30 kerberosKDC kerberosKDC
> 192.168.0.3 kerberosC kerberosC
>
> kerberosC:
> [root@kerberosC ~]# more /etc/hosts
> # Do not remove the following line, or various
> programs
> # that require network functionality will fail.
> 127.0.0.1 localhost loopback
> ::1 localhost6.localdomain6 localhost6
> 192.168.0.3 kerberosC kerberosC
> 192.168.0.30 kerberosKDC kerberosKDC
>
> My question is:
> (1).I think it can resolve the IP address in both
> directions.
> I am confused here and would someone kindly explain
> this to me.
>
> (2).the process I deploy heimdal is all right here?
>
> Thanks in advance!!
>
> WangYue
>
> --- Harald Barth <haba@kth.se>写道:
>
>>> 1. Does this "host" is the hostname of service PC?
>> And
>>> do I have to use hostname instead of the service
>> PC's
>>> IP address??
>> The principal consits of 3 parts:
>>
>> <Name> / <Instance> @ <Realm> (spaces inserted for
>> readability)
>>
>> For users <Name> obiously is the username,
>> <Instance> is empty and
>> <Realm> is your Realm (obviously). Sometimes the
>> <Instance> is used
>> for administrative accounts.
>>
>> Example:
>>
>> haba@KTH.SE
>> haba/admin@KTH.SE
>>
>> For services (like telnet, rsh, ftp, nfs, afs) the
>> <Name> is the service
>> name. telnet and rsh and ssh share the name "host"
>> because a host
>> ist identified by it. <Instance> is the name of the
>> host and <Realm>
>> again is as ususal.
>>
>> Fictional examples:
>>
>> host/loginserver.kth.se@KTH.SE
>> host/belgarath.lfs.org@LFS.ORG
>> afs/kth.se@KTH.SE
>>
>> The confusing part is that all commands accept
>> principals in short forms
>> where the "obvious" (default) parts are ommitted.
>>
>> Example:
>>
>> kinit haba
>>
>> which means <Name> is haba, <Instance> is empty and
>> <Realm> is default
>> (KTH.SE in my case).
>>
>>
>>> 2. If my hostname is kerberosA, the kerberosized
>>> service program is heimdal's telnetd, and my
>> krb5.conf
>>> is following:
>>>
>>> [libdefaults]
>>> default_realm = WEDGIE.ORG
>>>
>>> [realms]
>>> WEDGIE.ORG = {
>>> kdc = 192.168.0.30
>>> admin_server = 192.168.0.30
>>> }
>>>
>>> [domain_realm]
>>> .wedgie.org = WEDGIE.ORG
>>>
>>> the "host" should be kerberosA or admin_server?
>>> so will I input
>>> kadmin>add -r kerberosA/WEDGIE.ORG
>>> or the
>>> kadmin>add -r admin_server/WEDGIE.ORG
>> You need one for each host you want to login to.
>>
>> It should be <Name>/<Instance>@<Realm> which in your
>> case
>>
>> probably is
>>
>> host/kerberosA.your.domain@WEDGIE.ORG
>> host/kerberosB.your.domain@WEDGIE.ORG
>> host/kerberosC.your.domain@WEDGIE.ORG
>>
>> or something like that
>>
>> The Instance part must match what the IP address of
>> the host resolves
>> to. For Kerberos to work, you must have a working
>> setup of host name
>> resolving in both directions.
>>
>> You said " kadmin>add -r ....", but it is easier to
>> use ktutil get on
>> each of your hosts. It creates the principal in the
>> KDC and makes the
>> corresponding /etc/krb5.keytab on the host.
>>
>> Harald.
>>
>
> --- Harald Barth <haba@kth.se>写道:
>
>>> 1. Does this "host" is the hostname of service PC?
>> And
>>> do I have to use hostname instead of the service
>> PC's
>>> IP address??
>> The principal consits of 3 parts:
>>
>> <Name> / <Instance> @ <Realm> (spaces inserted for
>> readability)
>>
>> For users <Name> obiously is the username,
>> <Instance> is empty and
>> <Realm> is your Realm (obviously). Sometimes the
>> <Instance> is used
>> for administrative accounts.
>>
>> Example:
>>
>> haba@KTH.SE
>> haba/admin@KTH.SE
>>
>> For services (like telnet, rsh, ftp, nfs, afs) the
>> <Name> is the service
>> name. telnet and rsh and ssh share the name "host"
>> because a host
>> ist identified by it. <Instance> is the name of the
>> host and <Realm>
>> again is as ususal.
>>
>> Fictional examples:
>>
>> host/loginserver.kth.se@KTH.SE
>> host/belgarath.lfs.org@LFS.ORG
>> afs/kth.se@KTH.SE
>>
>> The confusing part is that all commands accept
>> principals in short forms
>> where the "obvious" (default) parts are ommitted.
>>
>> Example:
>>
>> kinit haba
>>
>> which means <Name> is haba, <Instance> is empty and
>> <Realm> is default
>> (KTH.SE in my case).
>>
>>
>>> 2. If my hostname is kerberosA, the kerberosized
>>> service program is heimdal's telnetd, and my
>> krb5.conf
>>> is following:
>>>
>>> [libdefaults]
>>> default_realm = WEDGIE.ORG
>>>
>>> [realms]
>>> WEDGIE.ORG = {
>>> kdc = 192.168.0.30
>>> admin_server = 192.168.0.30
>>> }
>>>
>>> [domain_realm]
>>> .wedgie.org = WEDGIE.ORG
>>>
>>> the "host" should be kerberosA or admin_server?
>>> so will I input
>>> kadmin>add -r kerberosA/WEDGIE.ORG
>>> or the
>>> kadmin>add -r admin_server/WEDGIE.ORG
>> You need one for each host you want to login to.
>>
>> It should be <Name>/<Instance>@<Realm> which in your
>> case
>>
>> probably is
>>
>> host/kerberosA.your.domain@WEDGIE.ORG
>> host/kerberosB.your.domain@WEDGIE.ORG
>> host/kerberosC.your.domain@WEDGIE.ORG
>>
>> or something like that
>>
>> The Instance part must match what the IP address of
>> the host resolves
>> to. For Kerberos to work, you must have a working
>> setup of host name
>> resolving in both directions.
>>
>> You said " kadmin>add -r ....", but it is easier to
>> use ktutil get on
>> each of your hosts. It creates the principal in the
>> KDC and makes the
>> corresponding /etc/krb5.keytab on the host.
>>
>> Harald.
>>
>
>
>
> ___________________________________________________________
> 雅虎邮箱,您的终生邮箱!
> http://cn.mail.yahoo.com/