FW: kadmin problems

Wachdorf, Daniel R drwachd at sandia.gov
Wed Oct 22 12:43:51 EDT 2003 

I have figured out that the problem is that kadmin (in krb5-1.3.1 and
seemingly not 1.3) request for a ticket with etype des3-cbc-sha1 even though
the /etc/krb5.conf file had des-cbc-crc for default tgs and tkt types of
des-cbc-crc.  On the server, the principals password is des-cbc-crc.  
When I change the key on the server of drwachd/admin to des3-cbc-sha1 and 

Is there a reason why kadmin is doing this?  The kdc logs indicate that
preauth is failing (timestamp).  Is kadmin encrypting the timestamp with
des3-cbc-sha1?  Should it use the e-type indicated by /etc/krb5.conf file?

Thanks
-dan

-----Original Message-----
From: Wachdorf, Daniel R 
Sent: Tuesday, October 14, 2003 6:24 PM
To: Wachdorf, Daniel R
Cc: ''kerberos at mit.edu' '
Subject: RE: kadmin problems

Actually,

All the entries for everything are dce.sandia.gov.  I changed the name on
them before i posted the message.  I must have missed one.   

-----Original Message-----
From: John Dewey
To: Wachdorf, Daniel R
Cc: 'kerberos at mit.edu'
Sent: 10/14/2003 5:38 PM
Subject: Re: kadmin problems


kadm5.acl contains an entry of */admin at dce.sandia.gov.
Your kadmin is authing as drwachd/admin at test.sandia.gov.
Try kadmin -p drwachd/admin at DCE.SANDIA.GOV.

John

On Mon, Oct 13, 2003 at 04:53:27PM -0600, Wachdorf, Daniel R wrote:
> I am having trouble getting kadmin to work.  I can use kadmin.local
without
> any problem.
> 
> i have setup the kadm5.acl file with this entry:
> */admin at dce.sandia.gov *
> 
> i created the principal with the name drwachd/admin
> 
> when i try to use kdamin i get this:
> 
> [drwachd at mit drwachd]$ /usr/local/sbin/kadmin
> Authenticating as principal drwachd/admin at test.sandia.gov with
password.
> Password for drwachd/admin at test.sandia.gov:
> Password for drwachd/admin at test.sandia.gov:
> kadmin: Preauthentication failed while initializing kadmin interface
> 
> I see this in the krb5kdc.log file:
> Oct 13 16:53:20 test.sandia.gov krb5kdc[9711](info): preauth
(timestamp)
> verify failure: No matching key in entry
> Oct 13 16:53:20 test.sandia.gov krb5kdc[9711](info): AS_REQ (4 etypes
{16 23
> 3 1}) 132.175.90.200: PREAUTH_FAILED: drwachd/admin at test.sandia.gov
for
> kadmin/admin at test.sandia.gov, Preauthentication failed
> 
> Anyone know whats going on?  I am running kadmin from the kdc, so it
can't
> be a timeskew issue.  I am SURE the password is right.
> I have tried doing a kinit -S kadmin/admin
drwachd/admin at test.sandia.gov and
> it works fine.
> 
> Any ideas?
> 
> -dan
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list