Kerberos authenication
Kevin Ruddy
smiles at ferrari.nmc.ed.ray.com
Sat Dec 29 06:39:55 AEST 1990
I'm confused.
I recently installed Ultrix 4.1A on two DECstation 3100s. I have a question
about Hesiod, a question about sendmail, and a real problem with Kerberos.
I read (or thought I did) the BIND/Hesiod Guide. It didn't seem to mention
that I needed to add an HS NS RR anywhere, but I believe that I had to in
order to make it work. My question: do I also need an HS A RR? That
doesn't make much sense, but I've configured one in anyway for now.
Does the sendmail the comes with Ultrix (5.57, it claims) support MX
records? I have MX records for nodes without IP addresses, and letters that
are addressed to that node are being bounced. Our machine,
ferrari.nmc.ed.ray.com, is in the domain nmc.ed.ray.com. When I mail
user at sud.ed.ray.com (domain ed.ray.com), it goes through the $R relay. If I
mail user at sud (no domain specified), it bounces, saying it "sud.tcp... 550
Host unknown". While it is reasonable to want fully-qualifed names, I have
to support a large user organization that expects a "domain fall-through" --
if there's no host.nmc.ed.ray.com, try host.ed.ray.com, then host.ray.com ...
-- and now, for the problem with Kerberos.
I have two machines trying to use Kerberos. I'll explain my current
configuration. One is a master (ferrari.nmc.ed.ray.com), while the other is
a client (tif2.ed.ray.com).
I have an /etc/krb.conf on both machines that looks like this (without the
leading tab, of course):
ed.ray.com
ed.ray.com ferrari.nmc.ed.ray.com
I ran kdb_init on ferrari. I ran kdb_edit and added principals for "named"
and "hesiod". I ran ext_srvtab to generate a srvtab for both ferrari and
tif2. (I noticed tif2's was empty.) I also ran kstash.
My security level is at ENHANCED. I did not do BSD -> UPGRADE -> ENHANCED or
anything like that. During the initial installation, I just picked ENHANCED.
When I telnet to either machine, I get a "Kerberos initialization failure"
message. I get the same message when I use "su". I don't see any such
message when I log in on the console. (Perhaps it's not recognized by the
prompting program?)
When I start a Kerberos-authenticated named (bindsetup generated the line in
/etc/rc.local), it dies with a syslog message thus:
[date] localhost: [pid] named: bad krb_svc_int call 255
Also, when I make auth.ed.ray.com Hesiod queries from tif2 (the client
machine), I get a "Server failed" message. I think I read somewhere in TFM
that if named is not Kerberos-authenticated, it will not pass along auth
Hesiod information. Is this correct?
If anyone could help me out with these problems, I would greatly appreciate
it. I'm really stuck. Please mail me instead of posting, as I've gotten
mail working (I think!), but not news. I will gladly summarize if there's
any interest.
As an aside, does anyone know if DEC is planning to add Kerberos
authentication for users? I don't see a "klogin" utility or any of the fun
stuff I've seen at Athena. And it's unfortunate that there isn't a
kerbsetup utility to make this whole process easier, but I would suspect
that one is on its way.
Thanks in advance. Really.
Kevin Ruddy
smiles at ferrari.nmc.ed.ray.com
More information about the Comp.unix.ultrix
mailing list