MIT 1.4.1 and Solaris 10 SEAM kadmin
Ian Grant
ian.grant at cl.cam.ac.uk
Thu May 19 10:48:54 EDT 2005
> We heard that krb5-1.4.x would support the protocol (RPCSEC_GSS ?)
> necessary to allow a Solaris 10 kadmin client to work with an MIT
> kadmind.
>
> We tried upgrading our MIT server to 1.4.1 and we still cannot get it to
> work.
>
> We also heard that you need to add a principal of the form:
> kadmin/kdc_name
>
> I was unable to get clarification on the format of kdc_name. We've
> tried:
>
> kadmin/hostname.domain
This should be added automatically/ The hostname should be the
canonical fqdn of the KDC (i.e. not a CNAME)
> kadmin/hostname
> kadmin/cname (our cname for our kerberos server is 'kerberos' )
>
> Nothing made a difference.
We are trying the same: Solaris 10 kadmin client talking to MIT 1.4
kadmind. We use a command like
kadmin -p princ/admin
We are prompted for the password. On entering it we see in the kdc logs
that authentication happens:
May 19 11:34:44 ***** krb5kdc[16731](info): AS_REQ (5 etypes {17 16 23
3 1 }) xxx.xxx.xxx.xxx: ISSUE: authtime 1116498884, etypes {rep=16
tkt=16 ses=16}, princ/admin at MY.DOMAIN for kadmin/kdc.fdn at MY.DOMAIN
But the kadmin client responds:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
It seems you get further than we do!
More information about the Kerberos
mailing list