|
Bugzilla – Full Text Bug Listing |
| Summary: | krb5 login fails when using YaST setup krb5.conf | ||
|---|---|---|---|
| Product: | [openSUSE] SUSE LINUX 10.0 | Reporter: | Jonathon Robison <jrobiso2> |
| Component: | YaST2 | Assignee: | Jiří Suchomel <jsuchome> |
| Status: | RESOLVED FIXED | QA Contact: | Klaus Kämpf <kkaempf> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | mc |
| Version: | Beta 4 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | All | ||
| Whiteboard: | |||
| Found By: | Beta-Customer | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | /var/log/YaST2/* | ||
Well, the problem is not with the numbers but with the port. Michael, is it ok to use value like "na1.ford.com:88" as kdc entry? (Looks like it really is OK, just want to reassure myself). For kdc it is OK. http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5-admin/realms--krb5.conf-.html#realms%20 (krb5.conf) kdc The name of a host running a KDC for that realm. An optional port number (separated from the hostname by a colon) may be included. I am not realy sure about the admin_server. There is no such explicite information available. But if kdc works, why not admin_server . Seems to work also for admin_server. I found this in the source code of MIT
krb5. It is a template for testcases.
<snip>
[realms]
__REALM__ = {
kdc = __KDCHOST__:1750
admin_server = __KDCHOST__:1751
}
<snap>
fixed Even when I left off the :88, YaST insisted on a numerical address. So essentially it's two aspects that would need fixed: Allow ports, and allow named addresses. Host names are allowed; what do you mean by " YaST insisted on a numerical address"? An error message? Which one? What did you provide as the KDC address and wasn't accepted by kerberos module? Additionally, please attach yast2 log files (/var/log/YaST2/*) It gave the exact same popup error as when I had the :88 in there. Can't recall the verbiage now. Created attachment 49053 [details]
/var/log/YaST2/*
And what was the address? "na1.ford.com"? I cannot reproduce the error with this one. Please try to reproduce it with kerberos module started this way: "Y2DEBUG=1 yast2 kerberos-client" and provide /var/log/YaST2/y2log* files right after you get the error message. |
I have used the following krb5.conf for a while now: [libdefaults] default_realm = NA1.FORD.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc clockskew = 300 [realms] NA1.FORD.COM = { kdc = na1.ford.com:88 admin_server = na1.ford.com admin_server = na1.ford.com:88 } [domain_realm] .fsic.ford.com = NA1.FORD.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log [appdefaults] pam = { ticket_lifetime = 1d ccache = /tmp/krb5cc_%u keytab = '' renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 debug = true } kinit = { forwardable = true renewable = true } YaST will not allow me to set up a config like this - it doesn't like the na1.ford.com:88 for a KDC. If I do as YaST wants and use numbers, krb5 login fails. Here is the conf that fails: [libdefaults] default_realm = NA1.FORD.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc clockskew = 300 [realms] NA1.FORD.COM = { kdc = 19.41.2.138 admin_server = 19.41.2.138 default_domain = ford.com } [domain_realm] .fsic.ford.com = NA1.FORD.COM .ford.com = NA1.FORD.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log [appdefaults] pam = { ticket_lifetime = 1d ccache = /tmp/krb5cc_%u keytab = '' renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 debug = true try_first_pass = true } kinit = { forwardable = true renewable = true }