netbsd-help: Re: kinit (Kerberos)

Subject: Re: kinit (Kerberos)
To: Dick Davies <rasputnik@hellooperator.net>
From: John R. Shannon <john@johnrshannon.com>
List: netbsd-help
Date: 09/02/2004 06:40:52
On Thursday 02 September 2004 06:34 am, Dick Davies wrote:
> Last time I tried kerberos on netbsd (I guess about Christmas) it 'just
> worked' with v5.
> Have you got anything that might enable v4 in krb5.conf?

I don't believe so:

[libdefaults]
        # Set the realm of this host here
        default_realm = JOHNRSHANNON.COM

        # Maximum allowed time difference between KDC and this host
        clockskew = 300

[realms]
        JOHNRSHANNON.COM = {
                # Specify KDC here
                kdc = kerberos.johnrshannon.com

                # Administration server, used for creating users etc.
                admin_server = kerberos.johnrshannon.com
        }


# This sections describes how to figure out a realm given a DNS name
[domain_realm]
        .johnrshannon.com = JOHNRSHANNON.COM

[kdc]
        require-preauth = yes

[kadmin]
        # This is the trickiest part of a Kerberos installation. See the
        # heimdal infopage for more information about encryption types.

        # For a k5 only realm, this will be fine
        default_keys = v5

>
> Otherwise , maybe it's your version of netbsd - I've always used current...

NetBSD 2.0_BETA

> * John R. Shannon <john@johnrshannon.com> [0901 12:01]:
> > I have a Kerberos V only (heimdal) authentication server. When I run
> > kinit I get:
> >
> > $ kinit
> > john@JOHNRSHANNON.COM's Password:
> > kinit: NOTICE: ticket renewable lifetime is 1 week
> > kinit: converting creds: Cannot contact any KDC for requested realm
> >
> > and klist shows:
> >
> > $ klist
> > Credentials cache: FILE:/tmp/krb5cc_1000
> >         Principal: john@JOHNRSHANNON.COM
> >
> >   Issued           Expires          Principal
> > Sep  2 04:52:13  Sep  2 14:52:13 
> > krbtgt/JOHNRSHANNON.COM@JOHNRSHANNON.COM Sep  2 04:52:13  Sep  2 14:52:13
> >  krbtgt/JOHNRSHANNON.COM@JOHNRSHANNON.COM
> >
> >    V4-ticket file: /tmp/tkt1000
> > klist: No ticket file (tf_util)
> >
> > On an OpenBSD client, when I do the same thing I see:
> >
> > Credentials cache: FILE:/tmp/krb5cc_0
> >         Principal: john@JOHNRSHANNON.COM
> >
> >   Issued           Expires          Principal
> > Sep  2 04:50:26  Sep  2 14:50:26 
> > krbtgt/JOHNRSHANNON.COM@JOHNRSHANNON.COM
> >
> >
> > Monitoring the network traffic shows that port 4444/udp, the krb5 -> krb4
> > ticket conversion, on the authentication server is being accessed by the
> > client; there is nothing listening to that port.
> >
> > From this, I assume that the client is trying to setup both Kerberos IV
> > and V credentials. How do I set up the NetBSD client for Kerberos V only?
> >
> > --
> >
> > John R. Shannon
> > john@johnrshannon.com

-- 

John R. Shannon
john@johnrshannon.com