From owner-freebsd-questions@FreeBSD.ORG Wed Jun 30 22:25:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C1A816A4CE for ; Wed, 30 Jun 2004 22:25:11 +0000 (GMT) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E15D43D31 for ; Wed, 30 Jun 2004 22:25:11 +0000 (GMT) (envelope-from kirk@strauser.com) Received: from localhost (localhost [127.0.0.1]) by kanga.honeypot.net (Postfix) with ESMTP id D4AFFBA1E for ; Wed, 30 Jun 2004 17:24:50 -0500 (CDT) Received: from kanga.honeypot.net ([127.0.0.1]) by localhost (kanga.honeypot.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23922-04 for ; Wed, 30 Jun 2004 17:24:50 -0500 (CDT) Received: from janus.daycos.com (outbound.daycos.com [204.26.70.70]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by kanga.honeypot.net (Postfix) with ESMTP id 364C4B9F8 for ; Wed, 30 Jun 2004 17:24:50 -0500 (CDT) From: Kirk Strauser To: freebsd-questions@freebsd.org Date: Wed, 30 Jun 2004 17:24:36 -0500 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_u2z4AO1IIZG+M4r"; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200406301724.46345.kirk@strauser.com> X-Virus-Scanned: by amavisd-new at honeypot.net Subject: ksu not working as expected X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2004 22:25:11 -0000 --Boundary-02=_u2z4AO1IIZG+M4r Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I've been migrating to Heimdal for authentication of the various services o= n=20 my network. Other kerberized commands (ssh, imtest, ldapsearch) work in=20 the usual way, but I'm having problems getting ksu to play nicely. First,= =20 yes, it is setuid on my system. I currently have a TGT for the "kirk@HONEYPOT.NET" principal: $ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: kirk@HONEYPOT.NET I'm on the host "kanga.honeypot.net" which has a defined principal of=20 "host/kanga.honeypot.net@HONEYPOT.NET" in /etc/krb5.keytab. My user=20 principal is present in .k5login in root's home directory: # cat ~/.k5login kirk@HONEYPOT.NET kirk/*@HONEYPOT.NET However, when I try to use ksu to become root, I get this error unless I=20 enter a password: $ ksu root's password: Sorry! If I *do* enter root's real password, then I become root exactly as if I'd= =20 used su instead of ksu. I'm kind of stuck at this point. I have=20 everything configured correctly from what I can tell, and this should=20 certainly be a lot easier than, say, configuring OpenLDAP and SASL. Any=20 thoughts? =2D-=20 Kirk Strauser --Boundary-02=_u2z4AO1IIZG+M4r Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- iD8DBQBA4z2u5sRg+Y0CpvERAqBOAJ9NTqBGX2OOGw4tXRu8QwpOEW33+QCdFuES cDSJ4Jn+2STOrrPSVtca9E0= =tHE+ -----END PGP SIGNATURE----- --Boundary-02=_u2z4AO1IIZG+M4r--