[Admin-ml] pas de kerberos
Jean-Luc Bailloeul
jlbailloeul at irtsnpdc.fr
Lun 29 Juin 15:05:25 CEST 2009
à vue d'oeil, tout semble présent. Que dis kerberos après un reboot ?
> De : Bertrand Chatain <bertrand.chatain at zmirov.com>
> Répondre à : Administrateurs Systèmes sur Mac OS X <admin-ml at mosx.org>
> Date : Mon, 29 Jun 2009 12:43:28 +0200
> À : Administrateurs Systèmes sur Mac OS X <admin-ml at mosx.org>
> Objet : Re: [Admin-ml] pas de kerberos
>
> oui c'est exactement ça qui l'a chiffonner.
>
> J'ai refait toutes les procédures après kerberisation de mon OD
>
> (le site de easymac est inaccessible pour moi, le tuto est dans une
> partie sécurisée ?)
>
> zmirov:~ root# ls -l /var/db/krb5kdc
> total 456
> -rw------- 1 root wheel 30 3 avr
> 2008 .k5.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> -rw------- 1 root wheel 30 25 jui 23:48 .k5.ZMIROV.COM
> -rw------- 1 root wheel 89 25 jui 23:48 kadm5.acl
> -rw------- 1 root wheel 383 25 jui 23:48 kadm5.keytab
> -rw------- 1 root wheel 1225 25 jui 23:48 kdc.conf
> -rw------- 1 root wheel 106496 24 jui 12:30
> principal.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> -rw------- 1 root wheel 8192 3 avr 2008
> principal.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC.kadm5
> -rw------- 1 root wheel 0 24 jui 12:30
> principal.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC.kadm5.lock
> -rw------- 1 root wheel 0 24 jui 12:30
> principal.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC.ok
> -rw------- 1 root wheel 90112 25 jui 23:56 principal.ZMIROV.COM
> -rw------- 1 root wheel 8192 25 jui 23:48 principal.ZMIROV.COM.kadm5
> -rw------- 1 root wheel 0 25 jui 23:56 principal.ZMIROV.COM.kadm5.lock
> -rw------- 1 root wheel 0 25 jui 23:56 principal.ZMIROV.COM.ok
> zmirov:~ root#
> zmirov:~ root# dscl localhost
>> cd /LDAPv3/127.0.0.1/Config
> /LDAPv3/127.0.0.1/Config > ls
> CIFSServer
> CollabServices
> Group_Dir_Items
> Home_Dir_Items
> KerberosClient
> KerberosKDC
> ldapreplicas
> macosxodconfig
> macosxodpolicy
> mcx_cache
> passwordserver
> passwordserver_XXXXXXXXXXXXXXXXXXXXXXXX
> /LDAPv3/127.0.0.1/Config >
> <dict>
> <key>edu.mit.kerberos</key>
> <dict>
> <key>domain_realm</key>
> <dict>
> <key>.com</key>
> <string>ZMIROV.COM</string>
> <key>com</key>
> <string>ZMIROV.COM</string>
> </dict>
> <key>libdefaults</key>
> <dict>
> <key>default_realm</key>
> <string>ZMIROV.COM</string>
> </dict>
> <key>realms</key>
> <dict>
> <key>ZMIROV.COM</key>
> <dict>
> <key>KADM_List</key>
> <array>
> <string>zmirov.com</string>
> </array>
> <key>KDC_List</key>
> <array>
> <string>zmirov.com</string>
> </array>
> </dict>
> </dict>
> </dict>
> <key>generationID</key>
> <integer>102374203</integer>
> </dict>
> </plist>
>
>
> /LDAPv3/127.0.0.1/Config > read KerberosKDC
> dsAttrTypeNative:apple-config-realname: ZMIROV.COM
> dsAttrTypeNative:apple-kdc-configdata:
> [libdefaults]
> default_realm = ZMIROV.COM
> [kdcdefaults]
> kdc_ports = 88
> kdc_tcp_ports = 88
> [realms]
> ZMIROV.COM = {
> kadmind_port = 749
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-
> cbc-crc:normal des-cbc-crc:v4
> acl_file = /var/db/krb5kdc/kadm5.acl
> admin_keytab = /var/db/krb5kdc/kadm5.keytab
> database_name = /var/db/krb5kdc/principal.ZMIROV.COM
> key_stash_file = /var/db/krb5kdc/.k5.ZMIROV.COM
> }
> LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC = {
> kadmind_port = 749
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-
> cbc-crc:normal des-cbc-crc:v4
> acl_file = /var/db/krb5kdc/kadm5.acl
> admin_keytab = /var/db/krb5kdc/kadm5.keytab
> database_name = /var/db/krb5kdc/
> principal.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> key_stash_file = /var/db/
> krb5kdc/.k5.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> }
> [logging]
> kdc = FILE
> var/log/krb5kdc/kdc.log
> admin_server = FILE
> var/log/krb5kdc/kadmin.log
> dsAttrTypeNative:cn: KerberosKDC
> dsAttrTypeNative:objectClass: apple-configuration top
> AppleMetaNodeLocation: /LDAPv3/127.0.0.1
> KDCConfigData:
> [libdefaults]
> default_realm = ZMIROV.COM
> [kdcdefaults]
> kdc_ports = 88
> kdc_tcp_ports = 88
> [realms]
> ZMIROV.COM = {
> kadmind_port = 749
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-
> cbc-crc:normal des-cbc-crc:v4
> acl_file = /var/db/krb5kdc/kadm5.acl
> admin_keytab = /var/db/krb5kdc/kadm5.keytab
> database_name = /var/db/krb5kdc/principal.ZMIROV.COM
> key_stash_file = /var/db/krb5kdc/.k5.ZMIROV.COM
> }
> LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC = {
> kadmind_port = 749
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> master_key_type = des3-hmac-sha1
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-
> cbc-crc:normal des-cbc-crc:v4
> acl_file = /var/db/krb5kdc/kadm5.acl
> admin_keytab = /var/db/krb5kdc/kadm5.keytab
> database_name = /var/db/krb5kdc/
> principal.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> key_stash_file = /var/db/
> krb5kdc/.k5.LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> }
> [logging]
> kdc = FILE
> var/log/krb5kdc/kdc.log
> admin_server = FILE
> var/log/krb5kdc/kadmin.log
> RealName: ZMIROV.COM
> RecordName: KerberosKDC
> RecordType: dsRecTypeStandard:Config
> ktutil: list
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 3 kadmin/admin at ZMIROV.COM
> 2 3 kadmin/admin at ZMIROV.COM
> 3 3 kadmin/admin at ZMIROV.COM
> 4 3 kadmin/changepw at ZMIROV.COM
> 5 3 kadmin/changepw at ZMIROV.COM
> 6 3 kadmin/changepw at ZMIROV.COM
> 7 3 kadmin/admin at ZMIROV.COM
> 8 3 kadmin/admin at ZMIROV.COM
> 9 3 kadmin/admin at ZMIROV.COM
> 10 3 kadmin/changepw at ZMIROV.COM
> 11 3 kadmin/changepw at ZMIROV.COM
> 12 3 kadmin/changepw at ZMIROV.COM
> ktutil:
> Last login: Fri Jun 26 14:14:06 on ttys001
> zmirov:~ root# klist -ke
> Keytab name: FILE
> etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 afpserver/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (Triple DES cbc
> mode with HMAC/sha1)
> 3 afpserver/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (ArcFour with HMAC/
> md5)
> 3 afpserver/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (DES cbc mode with
> CRC-32)
> 3 cifs/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (Triple DES cbc
> mode with HMAC/sha1)
> 3 cifs/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (ArcFour with HMAC/
> md5)
> 3 cifs/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (DES cbc mode with
> CRC-32)
> 3 vnc/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (Triple DES cbc
> mode with HMAC/sha1)
> 3 vnc/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (ArcFour with HMAC/
> md5)
> 3 vnc/
> LKDC:SHA1
> .AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC
> @LKDC:SHA1.AEBCEF0FB60F99A224B51E0EFFB8CD89689BAEAC (DES cbc mode with
> CRC-32)
> 3 fcsvr/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 fcsvr/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 fcsvr/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 pcast/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 pcast/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 pcast/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 vnc/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 vnc/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 vnc/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 cifs/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 cifs/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 cifs/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 ldap/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 ldap/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 ldap/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 xgrid/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 xgrid/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 xgrid/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 vpn/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 vpn/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 vpn/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 ipp/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 ipp/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 ipp/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 xmpp/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 xmpp/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 xmpp/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 XMPP/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 XMPP/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 XMPP/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 host/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 host/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 host/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 smtp/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 smtp/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 smtp/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 nfs/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 nfs/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 nfs/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 http/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 http/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 http/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 HTTP/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 HTTP/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 HTTP/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 pop/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 pop/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 pop/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 imap/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 imap/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 imap/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 ftp/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 ftp/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 ftp/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> 3 afpserver/zmirov.com at ZMIROV.COM (Triple DES cbc mode with HMAC/sha1)
> 3 afpserver/zmirov.com at ZMIROV.COM (ArcFour with HMAC/md5)
> 3 afpserver/zmirov.com at ZMIROV.COM (DES cbc mode with CRC-32)
> zmirov:~ root#
> Last login: Fri Jun 26 14:15:13 on ttys002
> zmirov:~ root# kinit bertrandchatain
> Please enter the password for bertrandchatain at ZMIROV.COM:
> zmirov:~ root#
> zmirov:~ root# klist -5
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: bertrandchatain at ZMIROV.COM
> Valid Starting Expires Service Principal
> 06/26/09 14:15:47 06/27/09 00:15:46 krbtgt/ZMIROV.COM at ZMIROV.COM
> renew until 07/03/09 14:15:46
> zmirov:~ root#
Plus d'informations sur la liste de diffusion Admin-ml