KADMIN error

Dennis Davis D.H.Davis at bath.ac.uk
Thu Feb 3 09:15:52 EST 2005

>Date: Tue, 1 Feb 2005 22:00:32 -0600 (CST)
>From: Mike Dopheide <dopheide at ncsa.uiuc.edu>
>To: Kim Sassaman <kim.sassaman at ins.com>
>cc: kerberos at mit.edu
>Subject: Re: KADMIN error
>While testing 1.4 we are seeing this same error with kadmin.       
>So far it seems to be only a kadmin client issue and happens       
>regardless of whether the server is running 1.3.5, 1.3.6, or 1.4.  
>The 1.3.5 and 1.3.6 kadmin clients work fine.  Has anyone else seen
>this issue?

Yes, I'm seeing it as well when testing 1.4.  My production kerberos
servers are running the 1.3.6 release on OpenBSD boxes.  Client
machines are mainly Solaris boxes running the 1.3.6 release although
I have some machines running earlier 1.3.x releases.

The 1.4 kadmin client on a SunOS5.8 box generates this error when
aimed at my production servers.  The 1.3.6 client on the same box
works fine.

I've a test kerberos server running release 1.4 on an old OpenBSD
box.  The 1.4 kadmin client on this box generates this error but the
1.3.6 kadmin client works fine.

Much the same thing happens when I point a 1.4 kadmin client on
a SunOS5.8 box at my test server.  It fails with the same error
message.  However the 1.3.6 client on the on a SunOS5.8 box works
fine with my test server.

>I hope to find time to do more testing later this week.

Well, I'm not concerned about obfuscating kerberos entries.  I see
the following log entry on my test server:

Feb 03 13:45:09 ancho.bath.ac.uk krb5kdc[17597](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) SERVER_NOT_FOUND: ccsdhd/admin at BATH.AC.UK for kadmin/ancho.bath.ac.uk at BATH.AC.UK, Server not found in Kerberos database

This looks wrong to me.  It shouldn't be requesting the
kadmin/ancho.bath.ac.uk at BATH.AC.UK principal.  That would be
associated with the machine acting as the kerberos server.  Instead
it should be requesting the kadmin/admin at BATH.AC.UK principal which
is what the 1.3.6 kadmin client does.  This would also tally up with
the "Required KADM5 principal missing" message.

However I've no idea how long it will take to track this down in
the code...

>> [root at hosthidden root]# kadmin
>> Authenticating as principal userhidden/admin at EXAMPLE.COM with password.
>> kadmin: Database error! Required KADM5 principal missing while initializing
>> kadmin interface
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101

More information about the Kerberos mailing list