KADMIN error

Dennis Davis D.H.Davis at bath.ac.uk
Fri Feb 4 07:43:26 EST 2005

On Thu, 3 Feb 2005, Tom Yu wrote:

> From: Tom Yu <tlyu at mit.edu>
> To: Dennis Davis <D.H.Davis at bath.ac.uk>
> Cc: Mike Dopheide <dopheide at ncsa.uiuc.edu>, kerberos at mit.edu
> Date: Thu, 03 Feb 2005 13:15:54 -0500
> Subject: Re: KADMIN error


> Ok, that is very useful information to have.  The host-based kadmin
> principal name was a 1.4 change for SEAM compatibility.  It should
> fall back to kadmin/admin but does not appear to at the moment.  I'll
> investigate further.

Now I know what's happening, I quite like use of a host-based kadmin 
principal.  Apart from the SEAM compatability, it seems a useful security 
measure.  It would help prevent obvious blunders like running a kadmin 
daemon on slave server.  It just wouldn't be able to do anything if there 
was no fallback to kadmin/admin.

> Incidentally, one workaround for now is to use the '-O' flag to the
> kadmin client.

Thanks.  I spotted this last night when I started looking at the code for 
the kadmin client.  The other obvious one is just to add the 
kadmin/hostname at REALM principal to the database.  As a kerberos 
administrator I can certainly do that!

I haven't checked, but I presume the kdb5_util command will now add it the 
host-based kadmin principal when creating a kerberos database.  Our 
current database was derived some years ago from a kerberos4 database.  
So it's a long time since I had to start from scratch.
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101

More information about the Kerberos mailing list