 |
|
RE: Streamlining host principal keytab provisioning?
Ok, as you pointed I didnt had a principal for the wallet server (it is also the kdc server). Adding the principal solved that problem. Now to the same command:
$wallet -f keytab get keytab nfs/hostname.REALMNAME wallet: username@REALMNAME not authorized to create keytab:nfs/host.REALMNAME The remctld server says: remctld: child 21836 for 172.16.8.190 remctld: received context token (size=649) remctld: sending context token (size=156) remctld: accepted connection from username@REALMNAME (protocol 2) remctld: argc is 4 remctld: arg 1 has length 6 remctld: arg 2 has length 5 remctld: arg 3 has length 6 remctld: arg 4 has length 29 remctld: COMMAND from username@REALMNAME: wallet check keytab nfs/host.REALMNAME remctld: argc is 4 remctld: arg 1 has length 6 remctld: arg 2 has length 10 remctld: arg 3 has length 6 remctld: arg 4 has length 29 remctld: COMMAND from username@REALMNAME: wallet autocreate keytab nfs/host.REALMNAME remctld: error receiving token: unexpected end of file remctld: child 21836 done I checked my user permission by login into the kadmin as the user and execute get_privs: current privileges: GET ADD MODIFY DELETE So I this user should have all the privileges, how is it that it is not authorized? Does it have anything to do with wallet ACL? ________________________________________ From: Russ Allbery [rra@stan...] Sent: 02 May 2012 00:47 To: Sebastian Galiano Cc: Jeff Blaine; kerberos@mit.... Subject: Re: Streamlining host principal keytab provisioning? Sebastian Galiano <Sebastian.Galiano@spil...> writes: > Slowly I managing to make some steps forward! :)...Now i got the remctld > running,and i added the wallet configuration into the krb5.conf (client > side). But when try to get a ticket I get the following error: > $wallet -f keytab get keytab nfs/hostname.REALMNAME > wallet: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Cannot contact any KDC for requested realm This error message indicates that things are going wrong at the remctl level. wallet is trying to get credentials for the wallet server, and when doing so, it can't reach the KDC for the realm that it thinks the wallet server is in. This probably means that your domain_realm mapping for the wallet server isn't correct, but may mean that you have problems reaching the KDC for other reasons. The default principal to which the wallet client will try to authenticate is host/<hostname> where <hostname> is whatever you configured the wallet server to be (--with-wallet-server on wallet's configure command or configured in your krb5.conf file). You can try to get tickets for that directly and duplicate the error with: kvno host/<hostname> kgetcred host/<hostname> depending on what set of Kerberos tools you have installed. (The first is MIT; the second, Heimdal). -- Russ Allbery (rra@stan...) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.... https://mailman.mit.edu/mailman/listinfo/kerberos Bookmark with:  Delicious
 Digg
 reddit
 Facebook
 StumbleUpon
Related Messages opensubscriber is not affiliated with the authors of this message nor responsible for its content. |
All rights reserved.
Alternate link - Alternate link