Issues with rsh and kerberos
Rick Stevens
rstevens at vitalstream.com
Thu Feb 3 21:17:46 UTC 2005
Rick Stevens wrote:
> Waldher, Travis R wrote:
>
>>
>>> -----Original Message-----
>>> From: Rick Stevens [mailto:rstevens at vitalstream.com]
>>> Sent: Thursday, February 03, 2005 11:06 AM
>>> To: Getting started with Red Hat Linux
>>> Subject: Re: Issues with rsh and kerberos
>>>
>>>> I would bet that is the case. As the HP systems don't use MD5
>>
>>
>> anywhere.
>>
>>>> Is there a way you know of, without changing the HP systems, to get
>>
>>
>> rid
>>
>>>> of that error? (I can see calls from users on this when we go to
>>
>>
>> the
>>
>>>> new NIS master running RHEL vs. the old running HP/UX.)
>>>
>>>
>>> Create and cache a Kerberos ticket on the HP/UX machine for the
>>
>>
>> machine
>>
>>> you're "rsh"ing from. You can use "krb5" to do this GUI-style, or
>>> use "kadmin" for command-line operations. I hope you understand how
>>> Kerberos works (realms, principals, etc.) or this will be VERY
>>
>>
>> confusing
>>
>>> to you.
>>
>>
>>
>> Ok... I just grabbed my bottle of aspirin.
>>
>> Is there someplace that would walk me through with just dealing this
>> particular problem? Or do I need to know more.
>
>
> There's several things that may or may not be significant for you. It
> depends on how kerberos was set up.
I should have mentioned that you may or may not need to specify a realm
or service in addition to your username (aka "principal"). Your
kerberos manager should be able to tell you. A complete Kerberos entity
looks like
principal/service at realm
e.g. if I (as user Rick) want to perform something that requires root
access (the service) on a different Kerberos realm than my default, I'd
specify
rick/root at otherrealm.com
Confused yet? :-D
> The easiest way to get a ticket is to do "kinit -f myusername". If you
> don't get an error, that means that the kerberos server on your network
> gave you a ticket. Your "rsh" should then work without the error. You
> may need to do "rsh -F" to make sure your credentials get forwarded to
> the server.
>
> If the "kinit -f" fails, try just "kinit myusername" (the "-f" means
> that you want forwardable credentials which is only supported in
> Kerberos V5 and later). Then try the "rsh" again. If the "rsh" fails,
> try "rsh -F" (capital F) to forward your non-forwardable credentials.
>
> Note that before you end your session, you should "kdestroy" to destroy
> any credentials you may have (even though they will expire eventually).
> Most people that have to use Kerberos put a "kinit" command in their
> shell's startup script (".bashrc", ".profile", etc.) and the "kdestroy"
> in their logout script (".bash_logout", etc.).
>
> See "man kerberos" for more info.
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
> - VitalStream, Inc. http://www.vitalstream.com -
> - -
> - su -; find / -name someone -exec touch \{\} \; -
> - - The UNIX way of touching someone -
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
--
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Do not taunt the sysadmins, for they are subtle and quick to anger -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list