mit kerberosv5 1.2.7 - kadmin wont connect - please help

Mon Mar 31 13:18:27 EST 2003

Heres the messages I exchanged with Srini
from the newsgroup, the problem remains unsolved
looking forward for more help

Yan

 Hi group,
     I compiled it from source on Solaris8.
 I followed the installation guide, created an admin
 principal, an ACL, filled krb5.conf and kdc.conf.
 The installation as /opt/k5 for --prefix so I created
 /opt/k5/etc and /opt/k5/var manually to put my config
 files.

 When starting krb5kdc this port appears :
 -begin-------------------------------------------------------
 UDP: IPv4
 192.168.0.8.88                              Idle
 -end-------------------------------------------------------

 and the ports for kadmind :
 -begin-------------------------------------------------------
 UDP: IPv4
       *.464                                 Idle
 TCP: IPv4
       *.749                *.*                0      0 24576      0 LISTEN
 -end-------------------------------------------------------

 So I assume my servers are up and running, the procs
 are in ps -ef output as well.

 kadmin.local works here is the getprincs output:
 -begin-------------------------------------------------------
 kadmin.local:  getprincs
 K/M at NEOTOKYO.COM
 kadmin/admin at NEOTOKYO.COM
 kadmin/changepw at NEOTOKYO.COM
 kadmin/history at NEOTOKYO.COM
 krbtgt/NEOTOKYO.COM at NEOTOKYO.COM
 yan/admin at NEOTOKYO.COM
 -end-------------------------------------------------------

 I found while googling that someone has had this problem
 before, and he was told to make sure that its host file was
 configured to have the FQDN of the machine appearing first
 in the host file for that IP. It didnt solved my problem.

 Heres the problem :
 -begin-------------------------------------------------------
 sun2# kadmin -p yan/admin at NEOTOKYO.COM
 Authenticating as principal yan/admin at NEOTOKYO.COM with password.
 kadmin: Cannot contact any KDC for requested realm while initializing
 kadmin
 interface
 -end-------------------------------------------------------

 Here is my krb5.conf file :
 -begin-------------------------------------------------------
 [libdefaults]
 ticket_lifetime = 600
 default_realm = NEOTOKYO.COM
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

 [realms]
 NEOTOKYO.COM = {
     kdc = SUN2.NEOTOKYO.COM
     admin_server = SUN2.NEOTOKYO.COM
     default_domain = NEOTOKYO.COM
 }

 [domain_realm]
 .neotokyo.com = NEOTOKYO.COM
 neotokyo.com = NEOTOKYO.COM

 [logging]
 kdc = FILE:/opt/k5/var/krb5kdc/kdc.log
 admin_server = FILE:/opt/k5/var/krb5kdc/kadmin.log
 -end-------------------------------------------------------

 Neither kdc.log nor kadmind.log are showing anything
 special, not even the connection requests.

 You can reach me at ymercier at mxtest.homedns.org if you wish
 to help

 Yannick

 ________________________________________________

----------------------
 Hi,
 Try to get the TGT first by giving the command "kinit <principal name>".

 Did you update the /etc/services file with the following services:
 kerberos        88/udp      kdc       # Kerberos authentication (udp)
 kerberos        88/tcp      kdc       # Kerberos authentication (tcp)
 krb5_prop       754/tcp               # Kerberos slave propagation
 kerberos-adm    749/tcp               # Kerberos 5 admin/changepw (tcp)
 kerberos-adm    749/udp               # Kerberos 5 admin/changepw (udp)
 eklogin         2105/tcp              # Kerberos encrypted rlogin

 Also what does your kdc.conf look like and where(path) is it exactly.

 Good Luck,
 Srini

-------------------
 Hi,
 my /etc/services wasnt updated so I added the entries you specified
 below, thank you

 The problem is still here though :
 -begin-------------------------------
 sun2# kinit -V yan/admin at NEOTOKYO.COM
 kinit(v5): Cannot contact any KDC for requested realm while
 getting initial credentials
 -end-------------------------------

 Here is my kdc.conf :
 -begin-------------------------------
 sun2# pwd
 /opt/k5/var/krb5kdc
 sun2# cat kdc.conf
 [kdcdefaults]
     kdc_ports = 88

 [realms]
     NEOTOKYO.COM = {
         database_name = /opt/k5/var/krb5kdc/principal
         key_stash_file = /opt/k5/var/krb5kdc/.k5.NEOTOKYO.COM
         kadmind_port = 749
         admin_keytab = /opt/k5/var/krb5kdc/kadm5.keytab
         acl_file = /opt/k5/var/krb5kdc/kadm5.acl
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
         supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
 des-cbc-crc:v4
         kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
 des-cbc-crc:v4
     }

 sun2#
-end----------------------------------------------

---------------------

Hi Yan,
I think it is unable to locate the kdc. Where is your krb5.conf?
 - it is currently in /opt/k5/etc - I think it is used by kadmin when
connecting
 - because I tested it changing the hostname of the kdc in there and
sniffing the
 - network, I see kadmin trying to connect to the other machine. The thing I
 - found strange is that it is trying to connect to a udp port which is not
 - listening on the server. I have not specified any port in the config
files, I
 - assumed the client and server would use the default ports..

Copy the krb5.conf to /etc and check. Then Please try to kill the krb5kdc
and
start it again.
 - Ill try that this evening when back at home.

Are you able to ping SUN2.NEOTOKYO.COM?
 - Yep thats the same machine
Are the KDC and the client on the same m/c?
 - Yep

Cheers,
Srini