From owner-freebsd-doc@FreeBSD.ORG Mon Oct 25 20:28:59 2004 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB7A416A4CE for ; Mon, 25 Oct 2004 20:28:59 +0000 (GMT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85DDE43D1D for ; Mon, 25 Oct 2004 20:28:59 +0000 (GMT) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 0E957B07; Mon, 25 Oct 2004 14:28:58 -0600 (CST) Date: Mon, 25 Oct 2004 14:28:58 -0600 From: Tillman Hodgson To: doc@freebsd.org Message-ID: <20041025202858.GA94897@seekingfire.com> References: <20041022130456.GA88051@mrtall.compsoc.man.ac.uk> <20041022215936.GF785@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline In-Reply-To: <20041022215936.GF785@zaphod.nitro.dk> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.6i Subject: Re: Chapter 14, Security, Kerberos V (admin_server). X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 20:29:00 -0000 --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 22, 2004 at 11:59:36PM +0200, Simon L. Nielsen wrote: > On 2004.10.22 14:04:56 +0100, Lewis Thompson wrote: >=20 > > I just got bitten by not having admin_server in my krb5.conf file. This > > is not mentioned at all in the handbook and is surprisingly hard to > > track down (maybe I was looking at the wrong logs ;). An addition > > explaining what admin_server does would be very welcome. >=20 > While improvments to the documentation is of course always welcome, I > set up Kerberos (Heimdal from base) on 4.X and 5.X and it works fine > with no admin_server setting... I think I found the problem the OP had. My krb5.conf contains the following bits that might apply: [logging] default =3D FILE:/var/log/krb5libs.log kdc =3D FILE:/var/log/krb5kdc.log admin_server =3D FILE:/var/log/kadmind.log [realms] SEEKINGFIRE.PRV =3D { kdc =3D kerberos.seekingfire.prv admin_server =3D kerberos.seekingfire.prv default_domain =3D seekingfire.prv } Now it's extremely unlikely that the lack of a admin_server=3D line in the logging stanza would have any serious negative effect. But, if the OP did /not/ set up DNS entries for Kerberos (and those are only in a "note" subsection, making it look very optional), then an admin_server line in the realms section might be needed if the OP wanted to allow remote administration of the Kerberos database (including password changes). The relevent DNS entry is _kerberos-adm._tcp. Actually, with a full DNS implementation, krb5.conf only needs to be: [libdefaults] default_realm =3D EXAMPLE.ORG Anyway, I now think that the sample krb5.conf given in the Handbook should be changed to include an admin_server=3D line below the kdc=3D line. It mgith also be worthwhile to expand the DNS section and throw some better wording around it. With the help of Giorgos I'll see if I can get the Kerberos5 section revamped sometime soon. -T --=20 Page 41: Two of the most important Unix traditions are to share and to help people. - Harley Hahn, _The Unix Companion_ --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBfWIKDwp/vIKK/HsRAiURAKC63JfTA64OcTjK9bPe4qTCIm+CBgCcCakO OmsHz/28eLzsRQDa46PZWfk= =INMS -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV--