MacOSX Tiger kadmin uses a non-standard service principal

Ben Poliakoff benp at reed.edu
Thu May 5 17:05:46 EDT 2005


Has anyone else noticed that the kadmin command on the recently released
Mac OS 10.4 (aka "Tiger") wants to use a "non-standard" kadmin service
principal?

On previous versions of OSX the kadmin command used the "standard"
service principal in the form "kadmin/admin@<REALM>" (just like MIT krb5
clients do).

On Tiger, kadmin is trying to find "kadmin/<FQDN>@<REALM>", which in my
KDC doesn't exist; kadmin then bails with this error:

    kadmin: Database error! Required KADM5 principal missing while
    initializing kadmin interface

On my KDC's log I see this:

    May 05 12:00:00 kdchostname krb5kdc[225](info): AS_REQ (7 etypes\
      {18 17 16 23 1 3 2}) x.x.x.x: SERVER_NOT_FOUND:\
      username/admin@<REALM> for kadmin/<FQDN>@<REALM>,\
      Server not found in Kerberos database

I may well have missed something; is a new "standard" emerging?  MIT
krb5-1.4.1 doesn't seem to look for "kadmin/<FQDN>@<REALM>" (it happily
uses the same "kadmin/admin@<REALM>" format it always has). 

Presumably if I create the principal "kadmin/<FQDN>@<REALM>" and add it
to my kadmind's keytab then kadmin on my Tiger machines will work.  But
it's rather annoying to be "blackmailed" into making a modification like
this on one's KDC.

So, has anyone else seen this behavior?  If so, I'd be interested in some
discussion about the best course of action.

Ben


More information about the Kerberos mailing list