Authen Krb5 Admin Error
Contents |
Annotate this POD CPAN RT New 5 Open 4 View/Report Bugs Module Version: 0.17 Source NAME SYNOPSIS DESCRIPTION Configuration Parameters, Policies, and Principals Operations EXAMPLES FILES BUGS AUTHOR SEE ALSO NAME Authen::Krb5::Admin key version number for principal in key table is incorrect - Perl extension for MIT Kerberos 5 admin interface SYNOPSIS use Authen::Krb5::Admin; use kerberos credentials cache file not found Authen::Krb5::Admin qw(:constants); DESCRIPTION The Authen::Krb5::Admin Perl module is an object-oriented interface to the Kerberos 5 admin server. Currently only
Key Table Entry Not Found
MIT KDCs are supported, but the author envisions seamless integration with other KDCs. The following classes are provided by this module: Authen::Krb5::Admin handle for performing kadmin operations Authen::Krb5::Admin::Config kadmin configuration parameters
Klist No Credentials Cache Found (ticket Cache File /tmp/krb5cc_0)
Authen::Krb5::Admin::Key key data from principal object Authen::Krb5::Admin::Policy kadmin policies Authen::Krb5::Admin::Principal kadmin principals Configuration Parameters, Policies, and Principals Before performing kadmin operations, the programmer must construct objects to represent the entities to be manipulated. Each of the classes Authen::Krb5::Admin::Config Authen::Krb5::Admin::Key Authen::Krb5::Admin::Policy Authen::Krb5::Admin::Principal has a constructor new which takes no arguments (except for the class name). The new object may be populated using accessor kprop: decrypt integrity check failed while getting initial ticket methods, each of which is named for the C struct element it represents. Methods always return the current value of the attribute, except for the policy_clear method, which returns nothing. If a value is provided, the attribute is set to that value, and the new value is returned. All attributes may be modified in each object, but read-only attributes will be ignored when performing kadmin operations. These attributes are indicated in the documentation for their accessor methods. Each of the C functions that manipulate kadm5 principal and policy structures takes a mask argument to indicate which fields should be taken into account. The Perl accessor methods take care of the mask for you, assuming that when you change a value, you will eventually want it changed on the server. Flags for the read-only fields do not get set automatically because they would result in a bad mask error when performing kadmin operations. Some writable attributes are not allowed to have their masks set for certain operations. For example, KADM5_POLICY may not be set during a create_principal operation, but since the Perl module sets that flag automaticall
Kerberos Service (Tasks)Next: ChapterĀ 25 Administering Kerberos Principals and Policies (Tasks)Chapter24 Kerberos Error Messages and Troubleshooting This chapter provides resolutions for error messages that you might receive when you use the Kerberos
Kerberos Credential Cache
service. This chapter also provides some troubleshooting tips for various problems. key table entry not found while getting initial credentials This is a list of the error message and troubleshooting information in this chapter. SEAM Administration Tool client not found in kerberos database while getting initial credentials Error Messages Common Kerberos Error Messages (A-M) Common Kerberos Error Messages (N-Z) Problems With the Format of the krb5.conf File Problems Propagating the Kerberos Database Problems Mounting a Kerberized http://search.cpan.org/~sjquinney/Authen-Krb5-Admin/Admin.pm NFS File System Problems Authenticating as root Observing Mapping from GSS Credentials to UNIX Credentials Kerberos Error Messages This section provides information about Kerberos error messages, including why each error occurs and a way to fix it. SEAM Administration Tool Error Messages Unable to view the list of principals or policies; use the Name field. Cause: The http://docs.oracle.com/cd/E19253-01/816-4557/6maosrk17/index.html admin principal that you logged in with does not have the list privilege (l) in the Kerberos ACL file (kadm5.acl). So, you cannot view the principal list or policy list. Solution: You must type the principal and policy names in the Name field to work on them, or you need to log in with a principal that has the appropriate privileges. JNI: Java array creation failed JNI: Java class lookup failed JNI: Java field lookup failed JNI: Java method lookup failed JNI: Java object lookup failed JNI: Java object field lookup failed JNI: Java string access failed JNI: Java string creation failed Cause: A serious problem exists with the Java Native Interface that is used by the SEAM Administration Tool (gkadmin). Solution: Exit gkadmin and restart it. If the problem persists, please report a bug. Common Kerberos Error Messages (A-M) This section provides an alphabetical list (A-M) of common error messages for the Kerberos commands, Kerberos daemons, PAM framework, GSS interface, the NFS service, and the Kerberos library. A
Next:Introduction, Previous:Top, Up:Top Copyright Copyright © 1985-2002 by the Massachusetts Institute of Technology. Export of software employing encryption from the United States of America may require a specific license https://web.mit.edu/kerberos/krb5-1.4/krb5-1.4/doc/krb5-admin.html from the United States Government. It is the responsibility of https://www.mail-archive.com/kerberos@mit.edu/msg08163.html any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear not found in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software while getting initial and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR
Authen::Krb5::parse_name($uid) # if principal exists, blast it away! if ( $kadm5->get_principal($krb5_princ) ) { $kadm5->delete_principal( $krb5_princ ) } else { # principal not found } } sub KERB_change_password { my ( $kadm5, $uid, $password ) = @_; my $principal = Authen::Krb5::parse_name($uid) my $kerb_admin_principal = Authen::Krb5::Admin::Principal->new $kerb_admin_principal->principal($principal) if ( $kadm5->get_principal($principal) ) { $kadm5->chpass_principal( $principal, $password ); } else { # principal doesn't exist } } On Fri, 2005-04-08 at 17:23, FM wrote: > Thank you ! > Base on you script, I'll try to create a KERB_del_principal and a > KERB_update_password subs > > reg, > > Jason T Hardy wrote: > > This is a simple adduser script that authenticates the admin principal > > with a keytab. You should search CPAN for Krb5:Admin; there are plenty > > of useful examples there. Note: I've removed most of the error handling > > here, so don't use this code without first cleaning it up. > > > > Jason > > > > ---- > > > > use Authen::Krb5::Admin qw(:constants); > > use Authen::Krb5; > > > > sub setup_krb5 { > > my $krb5context; > > eval { > > $krb5context = Authen::Krb5::init_context(); > > Authen::Krb5::init_ets(); > > }; > > > > if ( $@ ) { > > warn $@; > > } > > > > return $krb5context; > > } > > > > sub setup_kadmin { > > my ( $krb_admin_princ, $krb_admin_keytab ) = @_; > > > > my $kadm5 = > > Authen::Krb5::Admin->init_with_skey( $krb_admin_princ, > > $krb_admin_keytab ) > > or die Authen::Krb5::Admin::error; > > > > return $kadm5; > > } > > > > > > sub KERB_add_principal { > > my ( $kadm5, $uid, $userPassword ) = @_; > > my $krb5_princ; > > > > # get valid kerb5 principal from uid > > $krb5_princ = Authen::Krb5::parse_name($uid) > > or die Authen::Krb5::error; > > > > # get a new principal object > > my $kadm5_princ = Authen::Krb5::Admin::Principal->new > > or die Authen::Krb5::error; > > > > # set the value of the new principal's principal name > > $kadm5_princ->principal($krb5_princ) > > or die Authen::Krb5::error; > > > > # if principal does not exist, ok to create... > > if ( !$kadm5->get_principal($krb5_princ) ) { > > # set the value of the principals policy > > $kadm5_princ->policy( "default" ) > > or die Authen::Krb5::Admin::error; > > > > # modify principal's pw expiration > > $kadm5_princ->pw_expiration( time