1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
.. _sserver(8):
sserver
=======
SYNOPSIS
--------
**sserver**
[ **-p** *port* ]
[ **-S** *keytab* ]
[ *server_port* ]
DESCRIPTION
-----------
sserver and :ref:`sclient(1)` are a simple demonstration client/server
application. When sclient connects to sserver, it performs a Kerberos
authentication, and then sserver returns to sclient the Kerberos
principal which was used for the Kerberos authentication. It makes a
good test that Kerberos has been successfully installed on a machine.
The service name used by sserver and sclient is sample. Hence,
sserver will require that there be a keytab entry for the service
``sample/hostname.domain.name@REALM.NAME``. This keytab is generated
using the :ref:`kadmin(1)` program. The keytab file is usually
installed as |keytab|.
The **-S** option allows for a different keytab than the default.
sserver is normally invoked out of inetd(8), using a line in
``/etc/inetd.conf`` that looks like this:
::
sample stream tcp nowait root /usr/local/sbin/sserver sserver
Since ``sample`` is normally not a port defined in ``/etc/services``,
you will usually have to add a line to ``/etc/services`` which looks
like this:
::
sample 13135/tcp
When using sclient, you will first have to have an entry in the
Kerberos database, by using :ref:`kadmin(1)`, and then you have to get
Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running
the sclient program on a different host than the sserver it will be
connecting to, be sure that both hosts have an entry in /etc/services
for the sample tcp port, and that the same port number is in both
files.
When you run sclient you should see something like this:
::
sendauth succeeded, reply is:
reply len 32, contents:
You are nlgilman@JIMI.MIT.EDU
COMMON ERROR MESSAGES
---------------------
1) kinit returns the error:
::
kinit: Client not found in Kerberos database while getting
initial credentials
This means that you didn't create an entry for your username in the
Kerberos database.
2) sclient returns the error:
::
unknown service sample/tcp; check /etc/services
This means that you don't have an entry in /etc/services for the
sample tcp port.
3) sclient returns the error:
::
connect: Connection refused
This probably means you didn't edit /etc/inetd.conf correctly, or
you didn't restart inetd after editing inetd.conf.
4) sclient returns the error:
::
sclient: Server not found in Kerberos database while using
sendauth
This means that the ``sample/hostname@LOCAL.REALM`` service was not
defined in the Kerberos database; it should be created using
:ref:`kadmin(1)`, and a keytab file needs to be generated to make
the key for that service principal available for sclient.
5) sclient returns the error:
::
sendauth rejected, error reply is:
"No such file or directory"
This probably means sserver couldn't find the keytab file. It was
probably not installed in the proper directory.
SEE ALSO
--------
:ref:`sclient(1)`, services(5), inetd(8)
|
