User talk:Haoqili
From K5Wiki
Thanks to Tom, Zhanna, and Will for helping me find the solutions.
Contents
Things to do
- fqdn = toiling-upward.mit.edu add those stuff in!
-
-e encryption stuff -
little question 1 -
little question 2 - exit
Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).
- When trying to kinit username
- ERROR: kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials
- SOLUTION: make sure KDC is running. /usr/local/sbin/krb5kdc
- SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits. 2. sudo rm /var/tmp/krb5kdc_rcache.
- Can't start krb5kdc and in auth.log it says:
- ERROR: Address already in use - Cannot bind server socket to port [#] address [IP address]
- SOLUTION: 1. see if it is true that port [#] is in use by netstat -nap | grep [#] (I also did pgrep -x krb5kdc). 2. kill the process: pkill -x krb5kdc. note the "-x" is for matching exactly the process "krb5kdc".
- When changing password 'kpasswd', Cannot contact any KDC for realm [your realm fqdn]
- and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:
- ERROR:
- kadmind[6924]: No dictionary file specified, continuing without one.
- kadmind[6924]: setting up network...
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0
- kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::
- kadmind[6924]: skipping unrecognized local address family 17
- kadmind[6924]: skipping unrecognized local address family 17
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145
- kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
- kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464
- kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749
- kadmind[6924]: set up 0 sockets
- kadmind[6924]: no sockets set up?
- Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.
- SOLUTION:
- In kdc.conf inserted the last two lines here
- kdc_ports = 8888
- kpasswd_port = 8887
- kadmind_port = 8886
- In krb5.conf modify/insert the lines:
- admin_server = yourComputerName.domain:8886
- kpasswd_server = yourComputerName.domain:8887
- Purge key (kdb5_util purge_mkeys) gives an error
- ERROR:
- kdb5_util: Invalid argument while updating actkvno data for master principal entry
- SOLUTION:
- #you must activate the keys that have not been "used" like this:
- kdb5_util use_mkey kvno [time]
- #i.e. kdb5_util use_mkey 2 'now+2days'
- when running a kadmin command. Runs into operation requires xx privilege error
- ERROR:
- $ kadmin -p haoqili/admin -w test123 -q 'listprincs'
- Authenticating as principal haoqili/admin with password.
- get_principals: Operation requires ``list'' privilege while retrieving list.
- SOLUTION:
- I didn't create my acl file yet. In kdc.conf, I have specified acl_file = /home/haoqili/kdcfiles/kadm5.acl and now I need to create the kadm5.acl
- #kadm5.acl, setting up my "admin" principal with all rights, i.e. *
- haoqili/admin *
- Also, before I created the kadm5.acl, I used echo $? to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."
- P.S. I later changed the line in my acl file to be */admin * to allow others
Python Bugs I've encountered and fixed
- When talking to the terminal shell, a command (in my case, kdbt_util add_mkey) asks for password twice (second time is confirmation). I first tried:
- p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- (out, err) = p.communicate('password')
- (out2, err2) = p.communicate('password')
- When I ran it, I got a chunk of error that ends with: ValueError: I/O operation on closed file. So what happens is that communicate closes the pipe, it breaks (even if it only runs once).
- Solution code:
- p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- p.stdin.write('password'+'\n')
- p.stdin.write('password'+'\n')
- Note don't forget the new line at the end.
Tips. Useful little things to know
Kerberos
- Good link
- kadmin.local -q 'modprinc +needchange [princname]' , the flag needchange forces the principal to change its password upon kinit.
- kadmin.local -q 'modprinc -policy [policyname] [princname]' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.
- There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey
- AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile])
- Test date. Navigate to src/kadmin/cli
- delete 2nd argument in main of getdate.y
- rm getdate.c
- make getdate.c
- gcc -o datetest -DTEST getdate.c -I../../include
- ./datetest
- kadmind -nofork is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.
- l0b = self.parentpath+'kadmind -nofork'
- pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- print "kadmind -nofork"
- while (True):
- l = pl0b.stderr.readline()
- if l.find("starting") > -1: #for kadmind: starting ...
- print l.strip()
- break
Shell
- The following characters have special meanings in grep or egrep:
- In egrep:
- | ^ $ . * + ? ( ) [ { } \
- In grep:
- ^ $ . * \( \) [ \{ \} \
- 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like blah 2> /dev/null puts blah's STDERR into /dev/null
- > overwrites, >> appends
- not see what's writing: ksh filename > writefilename 2>&1, the 2>&1 writes the errors as well
- see what's writing: ksh filename 2>&1 | tee writefilename
Python
Common Stuff
- Cannot do [print line for line in linelist] must have a function that prints the line, call it, printl(), and do [printl(line) for line in linelist]
More Specific Stuff
- p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)
- (out, err) = p.communicate('inputThing\n') <-- don't forget the return "\n" at the end!
- When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:
- if int(p.wait()) != 0: #meaning that it's not executed
- print "error message"
- exit
- Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009
- Way 1:
- p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']
- if int(p.wait()) != 0:
- print p.stdout.readlines()
- Way 2:
- p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']
- (out, err) = p.communicate('rest of command') #e.g. 'listprincs'
- print out
- Not type in a chunk of common code every time, i.e.
- p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
- This can be changed to:
- s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}
- p = Popen(cmd, **s)
- For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.
- p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
- The p.stdout.readlines() can be read only once
- Print current time in python:
- from time import strftime
- print "current time: "+strftime("%Y-%m-%d %H:%M:%S")
- Output: current time: 2009-07-06 22:00:54
- Sleep for 7 seconds.
- import time
- time.sleep(7)
Errors Put Aside
- Adding the 1058th master key gives a memory error
- getdate.y has problems:
- /trunk/src/kadmin/cli$ ./datetest
- Enter date, or blank line to exit.
- > 6 months
- Sat Jan 9 14:22:36 2010
- > 12/31/2009
- Wed Dec 30 23:00:00 2009
- > 07/10/2009
- Thu Jul 9 23:00:00 2009
- > 01/01/2009
- Wed Dec 31 23:00:00 2008
- > 01/01/2009 00:00:00
- Wed Dec 31 23:00:00 2008
- Phantom list_mkey error after adding -e aes128-cts-hmac-sha1-96. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.
- for lines 283-289:
- print "Testing add_mkey with aes128 enctype
- =============================================="
- kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF
- abcde
- abcde
- EOF
- kdb5_util list_mkeys
- print "Testing add_mkey with aes128 enctype done
- =============================================="
- The list_mkeys at the bottom is giving the following error:
- kdb5_util: Unable to decrypt latest master key with the provided master key
- while getting master key list
- kdb5_util: Warning: proceeding without master key list
- kdb5_util: master keylist not initialized