Date: Mon, 25 Oct 2004 14:28:58 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: doc@freebsd.org Subject: Re: Chapter 14, Security, Kerberos V (admin_server). Message-ID: <20041025202858.GA94897@seekingfire.com> In-Reply-To: <20041022215936.GF785@zaphod.nitro.dk> References: <20041022130456.GA88051@mrtall.compsoc.man.ac.uk> <20041022215936.GF785@zaphod.nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Oct 22, 2004 at 11:59:36PM +0200, Simon L. Nielsen wrote:
> On 2004.10.22 14:04:56 +0100, Lewis Thompson wrote:
>=20
> > I just got bitten by not having admin_server in my krb5.conf file. This
> > is not mentioned at all in the handbook and is surprisingly hard to
> > track down (maybe I was looking at the wrong logs ;). An addition
> > explaining what admin_server does would be very welcome.
>=20
> While improvments to the documentation is of course always welcome, I
> set up Kerberos (Heimdal from base) on 4.X and 5.X and it works fine
> with no admin_server setting...
I think I found the problem the OP had.
My krb5.conf contains the following bits that might apply:
[logging]
default =3D FILE:/var/log/krb5libs.log
kdc =3D FILE:/var/log/krb5kdc.log
admin_server =3D FILE:/var/log/kadmind.log
[realms]
SEEKINGFIRE.PRV =3D {
kdc =3D kerberos.seekingfire.prv
admin_server =3D kerberos.seekingfire.prv
default_domain =3D seekingfire.prv
}
Now it's extremely unlikely that the lack of a admin_server=3D line in the
logging stanza would have any serious negative effect.
But, if the OP did /not/ set up DNS entries for Kerberos (and those are
only in a "note" subsection, making it look very optional), then an
admin_server line in the realms section might be needed if the OP wanted
to allow remote administration of the Kerberos database (including
password changes).
The relevent DNS entry is _kerberos-adm._tcp. Actually, with a full DNS
implementation, krb5.conf only needs to be:
[libdefaults]
default_realm =3D EXAMPLE.ORG
Anyway, I now think that the sample krb5.conf given in the Handbook
should be changed to include an admin_server=3D line below the kdc=3D line.
It mgith also be worthwhile to expand the DNS section and throw some
better wording around it.
With the help of Giorgos I'll see if I can get the Kerberos5 section
revamped sometime soon.
-T
--=20
Page 41: Two of the most important Unix traditions are to share and to
help people.
- Harley Hahn, _The Unix Companion_
--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBfWIKDwp/vIKK/HsRAiURAKC63JfTA64OcTjK9bPe4qTCIm+CBgCcCakO
OmsHz/28eLzsRQDa46PZWfk=
=INMS
-----END PGP SIGNATURE-----
--HcAYCG3uE/tztfnV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041025202858.GA94897>