Date: Fri, 18 Feb 2000 10:52:14 +0200 From: "Dimitar Peikov" <mitko@koral.bg> To: "Andrew Otwell" <andrew@networkcomputerz.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: kerberosIV Message-ID: <01e801bf79ed$74907ee0$0700a8c0@koral.bg> References: <38AB5833.89A2F51A@networkcomputerz.com> <20000216212840.A47599@baileylink.net> <38AC111B.CD593D08@networkcomputerz.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I've got this problem for 'principal expired' after 1-Jan-2000. Because of creation date of kerberos database is 1-Jan-2000 you must use : #kdb_util dump v4 After that modify dates which are set to 20000101 corresponding to new date I moved it to 20100101. After modifications load database back to kerberos DB using: #kdb_util load v4 This should correct that problem. Mitko ----- Original Message ----- From: Andrew Otwell <andrew@networkcomputerz.com> To: Brad Guillory <round@baileylink.net>; <freebsd-questions@FreeBSD.ORG> Sent: Thursday, February 17, 2000 5:17 PM Subject: Re: kerberosIV > For starters... (my apologies for pine readers - inetd lines listed > below will wrap terribly) > > 1. man inetd or inetd.conf makes no mention of kerberos and man kerberos > makes no mention of inetd (then why are there entries in inetd????). > Shall the kerbDB run as a full time daemon without inetd calls - > probably or definitely. > 2. man kinit, first para, references man 1 kerberos for "registering as > a kerberos user" but man 1 kerberos doesn't tell you how - literally > tell you what to type. This is why I was looking for a > www.freebsddiary.org type install guide. > > So I continue ..... with the belief that inetd is used. > > I commented out the following lines but my system doesn't have rkinitd, > registerd, or kpasswdd. Shall I use the source and make, make install > from the /usr/src/....kerberosIV/???? No mention of installation > anywhere in the handbook. > > # Kerberos authenticated services > # > klogin stream tcp nowait root /usr/libexec/rlogind rlogind > -k > eklogin stream tcp nowait root /usr/libexec/rlogind > rlogind -k -x > kshell stream tcp nowait root /usr/libexec/rshd rshd -k > rkinit stream tcp nowait root /usr/libexec/rkinitd rkinitd > # > # Services run ONLY on the Kerberos server > # > ###krbupdate stream tcp nowait root /usr/libexec/registerd > registerd > ###kpasswd stream tcp nowait root /usr/libexec/kpasswdd kpasswdd > > > Regarding /etc/auth.conf - my system(s) didn't even have > pam_kerberosIV.so in /usr/lib. My system(s) only have > pam_cleartext_pass_ok, pam_deny, pam_permit, pam_radius, pam_skey, > pam_ssh, pam_tacplus, pam_unix (DES???). Again, I could use some install > tips in the handbook for this. > > I'm probably suffering from option overload. If kerberos consists of > /etc/kerberosIV/, kdb_init, kstash, kdb_edit ..., ext_srvtab and moveit > and chmod 600, kdb_edit username, kerberos &, kadmind -n &, then my > system(s) - and I - are broken. It's probably me but I can't see the > forest for the trees. The man page for kdb_edit is pretty scary. I would > hope to see all the available principals and instances (example - man > rc.conf or smb.conf) - maybe I'm just not pay attention to the obvious > here. > > BTW, ipfw is wide open on my test systems, as well as inetd, and safely > tucked away from the script kiddies (and ATHENA - is this part of the > problem?). > > When I launch kerberos & and kadmind -n and as the user, run kinit > username, all I get is > > bashprompt$ kinit username > Kerberos Initialization for "username" > Password: > kinit: Principal expired (kerberos) > bashprompt$ ps ax > snip > 2625 p0 I 0:00.02 kerberos > 2626 p0 I 0:00.01 kadmind -n > snap > > ========================================= > > Brad Guillory wrote: > > > > What type of problems are you having? I am sure that several here would > > be happy to help. BMG > > > > On Wed, Feb 16, 2000 at 09:08:51PM -0500, Andrew Otwell wrote: > > > Where is the official installation->manual for kerberosIV on FreeBSD???? > > > The handbook shows a picture perfect step by step that does not work for > > > me. > > > > > > Looked in www.freebsddiary.org, www.freebsddiary.org, > > > www.freebsd.org/tutorials - faq - handbook > > > > > > We have /etc/auth.conf, /etc/kerberosIV/...., > > > /usr/lib/pam_kerberosIV.so, /etc/inetd.conf (much less > > > /etc/hosts.allow), and there's probably many more config files involved. > > > > > > I swear on the holy grail that I'll publish a complete how-to if someone > > > would point me in the right direction. > > > > > > -- > > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > > Andrew T. Otwell, Network Administrator > > > andrew@networkcomputerz.com, 678.363.8491 > > > http://www.NetworkComputerz.com > > > yank GnuPG DSS key from hkp://pgpkeys.mit.edu > > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01e801bf79ed$74907ee0$0700a8c0>