Bugzilla – Bug 115451
krb5 login fails when using YaST setup krb5.conf
Last modified: 2005-09-07 13:16:10 UTC
I have used the following krb5.conf for a while now: [libdefaults] default_realm = NA1.FORD.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc clockskew = 300 [realms] NA1.FORD.COM = { kdc = na1.ford.com:88 admin_server = na1.ford.com admin_server = na1.ford.com:88 } [domain_realm] .fsic.ford.com = NA1.FORD.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log [appdefaults] pam = { ticket_lifetime = 1d ccache = /tmp/krb5cc_%u keytab = '' renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 debug = true } kinit = { forwardable = true renewable = true } YaST will not allow me to set up a config like this - it doesn't like the na1.ford.com:88 for a KDC. If I do as YaST wants and use numbers, krb5 login fails. Here is the conf that fails: [libdefaults] default_realm = NA1.FORD.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc clockskew = 300 [realms] NA1.FORD.COM = { kdc = 19.41.2.138 admin_server = 19.41.2.138 default_domain = ford.com } [domain_realm] .fsic.ford.com = NA1.FORD.COM .ford.com = NA1.FORD.COM [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log [appdefaults] pam = { ticket_lifetime = 1d ccache = /tmp/krb5cc_%u keytab = '' renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 debug = true try_first_pass = true } kinit = { forwardable = true renewable = true }
Well, the problem is not with the numbers but with the port. Michael, is it ok to use value like "na1.ford.com:88" as kdc entry? (Looks like it really is OK, just want to reassure myself).
For kdc it is OK. http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5-admin/realms--krb5.conf-.html#realms%20 (krb5.conf) kdc The name of a host running a KDC for that realm. An optional port number (separated from the hostname by a colon) may be included. I am not realy sure about the admin_server. There is no such explicite information available. But if kdc works, why not admin_server .
Seems to work also for admin_server. I found this in the source code of MIT krb5. It is a template for testcases. <snip> [realms] __REALM__ = { kdc = __KDCHOST__:1750 admin_server = __KDCHOST__:1751 } <snap>
fixed
Even when I left off the :88, YaST insisted on a numerical address. So essentially it's two aspects that would need fixed: Allow ports, and allow named addresses.
Host names are allowed; what do you mean by " YaST insisted on a numerical address"? An error message? Which one? What did you provide as the KDC address and wasn't accepted by kerberos module? Additionally, please attach yast2 log files (/var/log/YaST2/*)
It gave the exact same popup error as when I had the :88 in there. Can't recall the verbiage now.
Created attachment 49053 [details] /var/log/YaST2/*
And what was the address? "na1.ford.com"? I cannot reproduce the error with this one. Please try to reproduce it with kerberos module started this way: "Y2DEBUG=1 yast2 kerberos-client" and provide /var/log/YaST2/y2log* files right after you get the error message.