Date: Thu, 25 Jun 1998 12:25:41 -0700 From: Ludwig Pummer <ludwigp@bigfoot.com> To: security@FreeBSD.ORG Subject: kerberos su problems betw 2 machines Message-ID: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com>
next in thread | raw e-mail | index | archive | help
I've finally gotten Kerberos (as part of the des distribution) installed on my 2.2.6-R machine (called fortress, with a DNS cname called kerberos) and my 2.2.5-R machine (called inet). my krb.conf: CHIPWEB.ML.ORG CHIPWEB.ML.ORG fortress.chipweb.ml.org admin server CHIPWEB.ML.ORG kerberos.chipweb.ml.org my krb.realms: fortress.chipwb.ml.org CHIPWEB.ML.ORG .chipweb.ml.org CHIPWEB.ML.ORG fortress is also running my own DNS server, which is why *.chipweb.ml.org appears as 24.1.82.47 to the outside world, but internally I have 6-7 machines in the domain chipweb.ml.org (using the 172.16.0.0/16 IP range). I set up kerberos on fortress according to the handbook, creating passwd.fortress, rcmd.fortress, passwd.inet, rcmd.inet, fortress's srvtab, and inet's srvtab. I also created ludwigp and ludwigp.root (for testing the SU acl). On fortress, logging in as ludwigp gives me my ticket. I can kinit to ludwigp.root and also su to root (i've set up the .klogin for root to be "ludwigp.root@CHIPWEB.ML.ORG"). On inet, logging in as ludwigp gives me my ticket. I can kinit to ludwigp.root and get my ticket, but trying to do su gives me "su: kerberos: unable to verify rcmd ticket: Incorrect network address (krb_rd_req)". Another thing which bothered me: I downloaded the kerberized telnet from ftp://ftp.pdc.kth.se/pub/krb/binaries/i386-unknown-winnt4.0/ and it telnets into fortress with encryption, giving me my proper tickets (the telnet program has its own ticket lister). Trying to do the same with inet doesn't work; i get a normal telnet connection, without encryption or tickets. Both systems have the r* services disabled in inetd, but the Kerberos authenticated serverices (r* -k) are enabled. The server is also running the additional registerd and kpasswdd services. Any reason why 2.2.5-R's kerberos behaves differently and can't communicate the same as 2.2.6-R's kerberos? Another question: If I want kerberos to be the only place the passwords are stored (since my master.passwd isn't being changed when passwd is used to change the kerberos password), how would I go about doing that? --Ludwig Pummer ludwigp@bigfoot.com ICQ UIN: 692441 http://chipweb.home.ml.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980625122541.006988b8>