ksu not working as expected

Kirk Strauser kirk at strauser.com
Wed Jun 30 15:25:11 PDT 2004


I've been migrating to Heimdal for authentication of the various services on 
my network.  Other kerberized commands (ssh, imtest, ldapsearch) work in 
the usual way, but I'm having problems getting ksu to play nicely.  First, 
yes, it is setuid on my system.

I currently have a TGT for the "kirk at HONEYPOT.NET" principal:

    $ klist
    Credentials cache: FILE:/tmp/krb5cc_1000
            Principal: kirk at HONEYPOT.NET

I'm on the host "kanga.honeypot.net" which has a defined principal of 
"host/kanga.honeypot.net at HONEYPOT.NET" in /etc/krb5.keytab.  My user 
principal is present in .k5login in root's home directory:

    # cat ~/.k5login
    kirk at HONEYPOT.NET
    kirk/*@HONEYPOT.NET

However, when I try to use ksu to become root, I get this error unless I 
enter a password:

    $ ksu
    root's password:
    Sorry!

If I *do* enter root's real password, then I become root exactly as if I'd 
used su instead of ksu.  I'm kind of stuck at this point.  I have 
everything configured correctly from what I can tell, and this should 
certainly be a lot easier than, say, configuring OpenLDAP and SASL.  Any 
thoughts?
-- 
Kirk Strauser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040630/d85eb74f/attachment.bin


More information about the freebsd-questions mailing list