Chapter 14, Security, Kerberos V (admin_server).

Tillman Hodgson tillman at seekingfire.com
Mon Oct 25 20:29:00 UTC 2004 

On Fri, Oct 22, 2004 at 11:59:36PM +0200, Simon L. Nielsen wrote:
> On 2004.10.22 14:04:56 +0100, Lewis Thompson wrote:
> 
> > I just got bitten by not having admin_server in my krb5.conf file.  This
> > is not mentioned at all in the handbook and is surprisingly hard to
> > track down (maybe I was looking at the wrong logs ;).  An addition
> > explaining what admin_server does would be very welcome.
> 
> While improvments to the documentation is of course always welcome, I
> set up Kerberos (Heimdal from base) on 4.X and 5.X and it works fine
> with no admin_server setting...

I think I found the problem the OP had.

My krb5.conf contains the following bits that might apply:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[realms]
 SEEKINGFIRE.PRV = {
  kdc = kerberos.seekingfire.prv
  admin_server = kerberos.seekingfire.prv
  default_domain = seekingfire.prv
 }

Now it's extremely unlikely that the lack of a admin_server= line in the
logging stanza would have any serious negative effect.

But, if the OP did /not/ set up DNS entries for Kerberos (and those are
only in a "note" subsection, making it look very optional), then an
admin_server line in the realms section might be needed if the OP wanted
to allow remote administration of the Kerberos database (including
password changes).

The relevent DNS entry is _kerberos-adm._tcp. Actually, with a full DNS
implementation, krb5.conf only needs to be:

[libdefaults]
      default_realm = EXAMPLE.ORG

Anyway, I now think that the sample krb5.conf given in the Handbook
should be changed to include an admin_server= line below the kdc= line.
It mgith also be worthwhile to expand the DNS section and throw some
better wording around it.

With the help of Giorgos I'll see if I can get the Kerberos5 section
revamped sometime soon.

-T


-- 
Page 41: Two of the most important Unix traditions are to share and to
help people.
	- Harley Hahn, _The Unix Companion_
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20041025/1d91b9d5/attachment.sig>

More information about the freebsd-doc mailing list