LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-20-2008, 06:19 PM   #1
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 434

Rep: Reputation: 30
Kerberos initialisation error


I am having a great deal of difficulty getting an authentication scheme working for squid.

It seems that Kerberos is necessary to get this off the ground but the /etc/krb5.conf file generates the following error:
"Improper format of Kerberos configuration file while initializing context, aborting"

I have tried editing this file in the following manner:

============================================================================

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = REALM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
IQETD.LAN = {
kdc = iqBase.iqetd.lan:88
admin_server = iqBase.iqetd.lan:749
default_domain = iqBase.iqetd.lan
}
[domain_realm]
.iqetd.lan = IQETD.LAN
iqetd.lan = IQETD.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

=================================================================================


I have removed a little rant about obfuscated conf files because it serves no purpose, but, honestly, surely this deserves a prize as one of the most obscure configuration formats?

The error message is also completely uninformative; I'm assuming that the /etc/krb5.conf file is at fault?

Any assistance welcome.
 
Old 02-21-2008, 07:11 AM   #2
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 434

Original Poster
Rep: Reputation: 30
Okay, /etc/krb5kdc/kdc.conf had to be edited as below:
Code:
[kdcdefaults]
    kdc_ports = 750,88

[realms]
IQETD.LAN = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:norma$
        default_principal_flags = +preauth
    }
Also I had to run "krb5_newrealm" to initialise the KDC database.

This give the following useful tips:

Quote:
# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'IQETD.LAN',
master key name 'K/M@IQETD.LAN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:


Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
 
Old 02-21-2008, 07:58 AM   #3
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 434

Original Poster
Rep: Reputation: 30
Don't let anyone tell you that configuring Kerberos is straightforward.

I'm using http://www.ornl.gov/~jar/HowToKerb.html, but it throws up more questions than it actually answers, it gives incorrect syntax and glosses over crucial configuration requirements with barely a mention. (I suspect it is some years out of date).

If anyone knows of a reasonably straightforward walkthrough on installing this complete mess, please post it.
 
Old 02-26-2008, 02:43 AM   #4
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 434

Original Poster
Rep: Reputation: 30
Oh, I get it!

The entire Kerberos project had been concocted in a pub by a group of BOFH looking for a few cheap laughs watching would-be users floundering in a sea of disjointed and obfuscated TLAs (three lettered acronyms). Very amusing.

This project is a wind-up, isn't it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error in Initialisation - Graphics, possibly Mikimano Mandriva 2 10-02-2006 10:55 AM
Initialisation script The Godfather Linux - Newbie 5 05-01-2006 12:55 PM
Kerberos Error mesh2005 Linux - Software 0 11-15-2005 06:56 AM
Fatal error finishing initialisation Nay_Nay Mandriva 0 09-17-2005 11:03 AM
Initialisation string C8H10N4O2 Linux - Newbie 2 03-17-2003 08:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration