Subject: Re: kerberos with NetBSD 2.0
To: None <netbsd-help@netbsd.org>
From: Jukka Salmi <j+nbsd@2005.salmi.ch>
List: netbsd-help
Date: 07/11/2005 13:05:16
Thierry Lacoste --> netbsd-help (2005-07-11 12:31:59 +0200):
> I installed an apache server on 2.0. with SSL and mod_auth_kerb.
> I also installed pure-ftpd so that authors can upload their web pages.
> My plan is to make pure-ftpd use kerberos authentication and
> local identification (authors will have a local account with their home
> directory inside the directory  exported by apache).
> The problem is that I can't even su or login:
> 
> $ su - lacostet
> lacostet@MIAGE.UNIV-PARIS12.FR's Password:
> su: krb5_verify_user: failed to find 
> host/pegase.miage.univ-paris12.fr@MIAGE.UNIV-PARIS12.FR in keytab 
> FILE:/etc/krb5.keytab

What does `ktutil list' tell?


> kinit works:
> 
> $ kinit lacostet
> lacostet@MIAGE.UNIV-PARIS12.FR's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
> kinit: converting creds: Cannot contact any KDC for requested realm

If you don't use Kerberos IV you should probably set
`krb4_get_tickets = false' in your krb5.conf.


> $ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: lacostet@MIAGE.UNIV-PARIS12.FR
> 
>   Issued           Expires          Principal                                   
> Jul 11 12:07:03  Jul 11 22:07:03  
> krbtgt/MIAGE.UNIV-PARIS12.FR@MIAGE.UNIV-PARIS12.FR
> Jul 11 12:07:03  Jul 11 22:07:03  
> krbtgt/MIAGE.UNIV-PARIS12.FR@MIAGE.UNIV-PARIS12.FR

Twice? Hmm...


>    V4-ticket file: /tmp/tkt1000
> klist: No ticket file (tf_util)
> 
> Here's my /etc/krb5.conf:
> 
> $ more /etc/krb5.conf
> [libdefaults]
>  default_realm = MIAGE.UNIV-PARIS12.FR
> 
> [realms]
>  MIAGE.UNIV-PARIS12.FR = {
>   kdc = tse4
>   admin_server = tse4
>   default_domain = miage.univ-paris12.fr
>  }
> 
> [domain_realm]
>  .miage.univ-paris12.fr = MIAGE.UNIV-PARIS12.FR
>  miage.univ-paris12.fr = MIAGE.UNIV-PARIS12.FR

Should be fine AFAICT.


> On -current I have no such problem.
> Is it related to pam not being present on 2.0?

I don't think so.


Cheers, Jukka

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~