MIT 1.4.1 and Solaris 10 SEAM kadmin

Ian Grant ian.grant at cl.cam.ac.uk
Thu May 19 10:48:54 EDT 2005


> We heard that krb5-1.4.x would support the protocol (RPCSEC_GSS ?)
> necessary to allow a Solaris 10 kadmin client to work with an MIT
> kadmind. 
> 
> We tried upgrading our MIT server to 1.4.1 and we still cannot get it to
> work. 
> 
> We also heard that you need to add a principal of the form:
> kadmin/kdc_name 
> 
> I was unable to get clarification on the format of kdc_name. We've
> tried:
> 
> kadmin/hostname.domain

This should be added automatically/ The hostname should be the
canonical fqdn of the KDC (i.e. not a CNAME)

> kadmin/hostname
> kadmin/cname   (our cname for our kerberos server is 'kerberos' )
> 
> Nothing made a difference.

We are trying the same: Solaris 10 kadmin client talking to MIT 1.4
kadmind. We use a command like 

kadmin -p princ/admin

We are prompted for the password. On entering it we see in the kdc logs
that authentication happens:

May 19 11:34:44 ***** krb5kdc[16731](info): AS_REQ (5 etypes {17 16 23
3 1 }) xxx.xxx.xxx.xxx: ISSUE: authtime 1116498884, etypes {rep=16
tkt=16 ses=16},  princ/admin at MY.DOMAIN for kadmin/kdc.fdn at MY.DOMAIN

But the kadmin client responds:

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

It seems you get further than we do!


More information about the Kerberos mailing list