Marcus Geiger <bwolfantbear.org> writes:

> Hi,
>
> I'm trying to get a working kerberos setup on a OpenBSD 3.0 machine. I
> encountered some strange behaviour while following some guides and
> howtos. So I wonder what is the state of kerberosIV and kerberosV that
> come with OpenBSD's base system?

As has been answered several times on the mailinglists, OpenBSD 3.0 shipped
with heimdal-0.3e which is very buggy. Please see the archives.
Heimdal-0.4e which is shipped with OpenBSD-3.1 is much better.

The FAQ is currently out of date and needs to be updated, or the erroneous
information should be removed.

> Here is what I did:
>
> 1) Followed the OpenBSD FAQ on setting up a kerberosIV server:
>
> Looks good up to the point when I try to get a ticket. I get the
> following error:
>
> $ kinit
> kinit: krb5_get_default_principal: no default realm configured
>
> Ok, then I read carefully the manual page on kinit and found out that
> kauth should be the right version for kerberosIV. But I get the same
> error (also forcing with kauth -4 doesn't help).
>
> Furthermore the info page on kth-krb don't seem to help here.

Configure a default realm in /etc/kerberosV/krb5.conf, or do
kinit usernameYOUR.REALM

Are you trying to set up a krb4 realm? Please don't! Krb4 is totally
obsolete.

> 2) Then I followed the heimdal info page and NetBSDs FAQ entry on
> setting up a KerberosV server. This time I had more luck.
> Setting it up went smoothly except encrypting the master key
> using kstash. kstash seems to me linked against kerberosIV libraries
> because I get the following error:
>
> kerb_dbl_init: couldn't open /etc/kerberosIV/principal.ok
> open: No such file or directory

Yes, kstash is for krb4. I've been to lazy to fix it, and nobody has given
me a good explanation why it really adds anything.

Please see the heimdal infopage, i think it has a correct procedure for
setting up a realm.

> But what I can't figure out is how to get rshd up and running. I
> enabled the corresponding ientd entry:

I have no idea why it doesn't work. "It should work".

I wouldn't recommend using the current rsh in OpenBSD - it's not encrypted.
The easy fix would be to just take the one from heimdal and scrap the
old one.
 
> It seems to me that either I am doing something completely wrong or
> OpenBSD's kerberos suites are a mix of version IV+V clients. Feel free
> to correct me :) Any help is greatly appreciated.

Well, yes, we support krb4 and krb5. What else could we do?
 
> Oh I've searched the archives and google. I found some post from people
> having the same problems but nobody responded to them.

Oh, i've responded several times.

-- 
--- Hans Insulander <hinstacken.kth.se>, SM0UTY -----------------------
Of all the things I've lost, I miss my mind the most.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]