Issues with rsh and kerberos

Rick Stevens rstevens at vitalstream.com
Thu Feb 3 20:05:28 UTC 2005 

Waldher, Travis R wrote:
> 
>>-----Original Message-----
>>From: Rick Stevens [mailto:rstevens at vitalstream.com]
>>Sent: Thursday, February 03, 2005 11:06 AM
>>To: Getting started with Red Hat Linux
>>Subject: Re: Issues with rsh and kerberos
>>
>>>I would bet that is the case.  As the HP systems don't use MD5
> 
> anywhere.
> 
>>>Is there a way you know of, without changing the HP systems, to get
> 
> rid
> 
>>>of that error?  (I can see calls from users on this when we go to
> 
> the
> 
>>>new NIS master running RHEL vs. the old running HP/UX.)
>>
>>Create and cache a Kerberos ticket on the HP/UX machine for the
> 
> machine
> 
>>you're "rsh"ing from.  You can use "krb5" to do this GUI-style, or
>>use "kadmin" for command-line operations.  I hope you understand how
>>Kerberos works (realms, principals, etc.) or this will be VERY
> 
> confusing
> 
>>to you.
> 
> 
> Ok... I just grabbed my bottle of aspirin.
> 
> Is there someplace that would walk me through with just dealing this
> particular problem? Or do I need to know more.

There's several things that may or may not be significant for you.  It
depends on how kerberos was set up.

The easiest way to get a ticket is to do "kinit -f myusername".  If you
don't get an error, that means that the kerberos server on your network
gave you a ticket.  Your "rsh" should then work without the error.  You
may need to do "rsh -F" to make sure your credentials get forwarded to
the server.

If the "kinit -f" fails, try just "kinit myusername" (the "-f" means
that you want forwardable credentials which is only supported in
Kerberos V5 and later).  Then try the "rsh" again.  If the "rsh" fails,
try "rsh -F" (capital F) to forward your non-forwardable credentials.

Note that before you end your session, you should "kdestroy" to destroy
any credentials you may have (even though they will expire eventually).
Most people that have to use Kerberos put a "kinit" command in their
shell's startup script (".bashrc", ".profile", etc.) and the "kdestroy" 
in their logout script (".bash_logout", etc.).

See "man kerberos" for more info.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-          su -; find / -name someone -exec touch \{\} \;            -
-                          - The UNIX way of touching someone        -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list