• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

Kerberos prob's

C

CrownRU

Newbie
Hallo Kollegen, jetzt, weil mein Latein am ende, bin ich auf Eure hilfe angewiesen. :???:
Ich will ein Kerberos Server einzurichten für SingleLogOn erst mal.
Folgende Anleitung habe ich genommen: http://www.mpipks-dresden.mpg.de/~m...e-manual_de/manual/sec.kerbadmin.instkdc.html
Aber leider habe ich nicht sehr weit gekommen. Vielleicht hier ist jemand wer mich helfen kann.

Hier sind meine Konfigs:

cat /etc/krb5.conf
Code: 
[libdefaults]
    default_realm = SERVER.LOCAL

    krb4_config = /etc/krb.conf
       #krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

    allow_weak_crypto = true



    v4_instance_resolve = false
    clockskew = 300
v4_name_convert = {
    host = {
        rcmd = host
        ftp = ftp
    }
    plain = {
        something = something-else
    }
}
fcc-mit-ticketflags = true

[realms]
SERVER.LOCAL = {
    kdc = xxx:88
    admin_server = xxx:749
    default_domain = SERVER.LOCAL
}

[domain_realm]
    .server.local = SERVER.LOCAL
    server.local = SERVER.LOCAL
    .SERVER.LOCAL = SERVER.LOCAL

[login]
    krb4_convert = true
    krb4_get_tickets = false

[logging]
#   default = FILE:/var/log/kerberos/krb5.log
#   kdc = FILE:/var/log/kerberos/krb5kdc.log
#   admin_server = FILE:/var/log/kerberos/kadmind.log

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = FILE:/var/log/krb5/krb5libs.log
[appdefaults]
pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    minimum_uid = 1
    external = sshd
    use_shmem = sshd

}

cat /var/lib/kerberos/krb5kdc/kdc.conf
Code: 
[kdcdefaults]
        kdc_ports = 750,88

[realms]
        SERVER.LOCAL = {
                database_name = /var/lib/kerberos/krb5kdc/principal
                acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
                admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
                default_principal_flags = +postdateable +forwardable +renewable +proxiable +dup-skey -preauth -hwauth +service +tgt-based +allow-tickets -pwchange -pwservice
                dict_file = /var/lib/kerberos/krb5kdc/kadm5.dict
                key_stash_file = /var/lib/kerberos/krb5kdc/.k5.SERVER.LOCAL
                kdc_ports = 750,88
                max_life = 0d 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
        }
[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
cat /var/lib/kerberos/krb5kdc/kadm5.acl
Code: 
###############################################################################
#Kerberos_principal      permissions     [target_principal]      [restrictions]
###############################################################################
#
*/admin@SERVER.LOCAL *

kdb5_util create -r SERVER.LOCAL -s
Code: 
Loading random data
Initializing database '/var/lib/kerberos/krb5kdc/principal' for realm 'SERVER.LOCAL',
master key name 'K/M@SERVER.LOCAL'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: File exists while creating database '/var/lib/kerberos/krb5kdc/principal
--> kdb5_util: File exists while creating database '/var/lib/kerberos/krb5kdc/principal

ls -la /var/lib/kerberos/krb5kdc/principal
Code: 
-rw------- 1 root root 8192 22. Jan 11:53 /var/lib/kerberos/krb5kdc/principal

kadmin.local -q listprincs
Code: 
Authenticating as principal root/admin@SERVER.LOCAL with password.
kadmin.local: Stored master key is corrupted while initializing kadmin.local interface

klist
Code: 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

/etc/init.d/krb5kdc start
Code: 
Starting Kerberos 5 KDC                                                                                                                                                      done
krb5kdc: cannot initialize realm SERVER.LOCAL - see log file for details

tail /var/log/krb5/krb5kdc.log
Code: 
krb5kdc: Cannot find/read stored master key - while fetching master key K/M for realm SERVER.LOCAL
krb5kdc: Cannot find/read stored master key - while fetching master key K/M for realm SERVER.LOCAL
krb5kdc: Cannot find/read stored master key - while fetching master key K/M for realm SERVER.LOCAL

/etc/init.d/kadmind start
Code: 
Starting Kerberos 5 Admin Serverkadmind: Stored master key is corrupted while initializing, aborting
startproc:  exit status of parent of /usr/lib/mit/sbin/kadmind: 1
                                                                                                                                                                             failed

Vielen Dank im Voraus! :eek:ps:
 
OP
C

CrownRU

Newbie
Hallo,
die Lösung habe ich selbst gefunden:

alle alte principals löschen, dann gehts.

Code: 
rm /var/lib/kerberos/krb5kdc/principal*

Danke an alle
 
S

spoensche

Moderator
Teammitglied
Du solltest eine andere Domain, statt .local verwenden. .local ist eine Multicast Domäne und wird z.B. von Zeroconf verwendet und das kann zu DNS- Problemen führen.
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Oben