[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kerberos on OpenBSD

I'm trying to set up Kerberos (either IV or V, I don't much care) on an
OpenBSD machine so that I can set up AFS on a nearby Solaris machine.  I'm
having nothing but problems, though.  Perhaps someone can help.

The only docs I've found aside from 'info kth-krb' and 'info heimdal' are in
the OpenBSD FAQ, and the FreeBSD Handbook.  Both on Kerberos IV.

I've followed them step-by-step to set up a CLEANNORTH.ORG realm with
obiwan.cleannorth.org as the kdc (admin server when trying to set up IV).

--- Here's the problem with Kerberos IV:

With IV, I get to the point in the FAQ where it tells me to try to obtain my
first ticket, and I get:

odin@obiwan:p4[~]$ kinit
kinit: krb5_get_default_principal: unable to find realm of host obiwan

Now, I don't see how this could be, or why it's trying to get a krb5 ticket.
Here's my host info:

odin@obiwan:p4[~]$ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 obiwan.cleannorth.org obiwan

odin@obiwan:p4[~]$ host obiwan
obiwan.cleannorth.org   A       192.168.15.2

odin@obiwan:p4[~]$ host 192.168.15.2
Name: obiwan.cleannorth.org
Address: 192.168.15.2

And here are my krb.* files

odin@obiwan:p4[~]$ cat /etc/kerberosIV/krb.realms 
obiwan.cleannorth.org   CLEANNORTH.ORG
.cleannorth.org         CLEANNORTH.ORG

odin@obiwan:p4[~]$ cat /etc/kerberosIV/krb.conf  
CLEANNORTH.ORG
CLEANNORTH.ORG  obiwan.cleannorth.org admin server

The only error that I noticed while following these instructions is that
kadmind didn't like the '-n' flag that I gave it (and the man page mentions
nothing of a -n flag either.  It seemed to run OK, anyway, though, but it
doesn't log anything.

--- Here's the problem with Kerberos V:

I get all the way through the instructions (without doing a kstash... that
seems to require kerberosIV on OpenBSD) in 'info heimdal' up to the point
of creating the keytab:

Then I get something like this:

kadmin> add --random-key host/obiwan.cleannorth.org
Max ticket life [1 day]:unlimited
Max renewable life [1 week]:unlimited
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/obiwan.cleannorth.org
kadmin: krb5_kt_add_entry: Add is not supported in the ANY keytab
kadmin: krb5_kt_add_entry: Add is not supported in the ANY keytab
kadmin: krb5_kt_add_entry: Add is not supported in the ANY keytab
kadmin: krb5_kt_add_entry: Add is not supported in the ANY keytab

But after doing some digging, I found I can do this:

root@obiwan:p2[/etc/kerberosV]# kadmin -l ext_keytab -k test.tab \
> host/obiwan.cleannorth.org
root@obiwan:p2[/etc/kerberosV]# mv test.tab krb5.keytab

And after starting /usr/libexec/kdc and fetching a key with kinit:

root@obiwan:p2[/etc/kerberosV]# kinit odin
odin@CLEANNORTH.ORG's Password: 
root@obiwan:p2[/etc/kerberosV]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: odin@CLEANNORTH.ORG

  Issued           Expires          Principal                         
Mar 11 15:27:01  Mar 12 01:27:01  krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG
Mar 11 15:27:01  Mar 12 01:27:01  krbtgt/CLEANNORTH.ORG@CLEANNORTH.ORG

v4-ticket file: /tmp/tkt0
Principal:      odin@CLEANNORTH.ORG

  Issued           Expires          Principal                         
Mar 11 15:27:01  Mar 12 01:27:01  krbtgt.CLEANNORTH.ORG@CLEANNORTH.ORG

I still can't use kerberized services (rsh and rlogin attempted)

root@obiwan:p2[/etc/kerberosV]# rsh obiwan -l odin
obiwan.cleannorth.org: Connection refused

root@obiwan:p2[/etc/kerberosV]# rlogin -l odin obiwan
obiwan.cleannorth.org: Connection refused

And I did enable the services and restart inetd:

root@obiwan:p2[/etc/kerberosV]# fstat|grep :54
root     inetd      11994    7* internet stream tcp 0xe0612c00 *:543
root     inetd      11994    9* internet stream tcp 0xe05f2e00 *:544
root     inetd      11994   10* internet stream tcp 0xe05f7900 *:545

Can someone please give me some pointers?  As I said, I don't care much
which version of Kerberos I end up running, as long as I can actually get it
running.

Thanks in advance.

-Dan