kadmin problem

Marcus Watts mdw at umich.edu
Thu Feb 15 01:35:03 EST 2007


scotty adams <scotty.adams at yahoo.com> writes:
> Hi,
> 
> This is what i am getting after all
> 
> bash-2.05# kadmin scotty
> Enter Password:
> Enter Password:
> kadmin: Preauthentication failed while initializing kadmin interface
> 
> kdc.log shows:
> 
> Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88): PREAUTH_FAILED: scotty/admin at SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM, Preauthentication failed
> 
> Any help on this ... appreciated
> 
> Thanks,
> scotty
> 
> scotty adams <scotty.adams at yahoo.com> wrote: I tried the following:
> 
> bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com
> Enter Password:
> kadmin: Incorrect password while initializing kadmin interface
> 
> even the password that i used is surely correct!!!
> 
> Please point me out to these two errors.
> 
> Regards,
> Scotty

"Preauthentication failed" probably doesn't mean your password
is incorrect.  At least, in my test environment, I get
"Incorrect password" if I botch the password with preauth turned on.
The first thing I would look at with that is to see if
time is sync'd up.  The 2nd thing I'd try is to see if it works
if REQUIRES_PRE_AUTH is turned off on the principal.

When you're getting messages like these--"preauth failed" or "bad pw",
that's not a kadm5 problem, that's a krb5 problem.  You can separate
out and simplify your problem by trying kinit and kvno first.
When you get those to work, then you can fool around with kadmin.

For these experiments, you may need to set password or examine
what's in the kdb.  On your kdc, as root, run
	kadmin.local
then you can do things like
	getprinc
	listprincs
	cpw
	xst
etc.  Use all but the last liberally.  Use the last only when you
intend to replace a keytab that you are convinced is broken.

Below, see scotty.scottie.navlink.com .  Use what you really
have - is that really your admin_server host?
If that is, you should probably have something like:
	[libdefaults]
		default_realm = SCOTTIE.COMPANY.COM
	[realms]
		SCOTTIE.COMPANY.COM = {
			kdc = scotty.scottie.navlink.com:88
			master_kdc = scotty.scottie.navlink.com:88
			admin_server =  scotty.scottie.navlink.com:749
		}
	[domain_realms]
		.navlink.com = SCOTTIE.COMPANY.COM
in your krb5.conf file, plus at least a local dns environment
where a lookup of scotty.scottie.navlink.com goes to the right thing,
and a reverse arpa lookup of the ipaddress also points back
at the same name.

So, the commands you should get working are
(client machine):
	ping -s scotty.scottie.navlink.com
	^C
	kinit scotty at SCOTTIE.COMPANY.COM
	kinit scotty/admin at SCOTTIE.COMPANY.COM
	kvno kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM
??	kvno kadmin/scottie.beirut.navlink.com@@SCOTTIE.COMPANY.COM
	klist -fean
(on the kdc):
	cd (wherever you keey kadm5.keytab, which might be named in kdc.conf):
	klist -ket kadm5.keytab
	kinit -kt kadm5.keytab kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM
	klist -fean
	kadmin.local
	getprinc kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM
??	getprinc kadmin/scottie.beirut.navlink.com at SCOTTIE.COMPANY.COM
	getprinc scotty at SCOTTIE.COMPANY.COM
	getprinc scotty/admin at SCOTTIE.COMPANY.COM

the ping proves dns & network routing work; check the ip address.
the 1st 2 kinit's prove you can authenticate.
the kvno proves you can get a service ticket
The kdc kinit proves that you have a working keytab on that
machine.  Note various etypes & kvno's in output: make sure they're
consistent.

If you can't get the kinit commands to work, you can look
at the actual network traffic to see what is really going on.
Check out
http://lists.openafs.org/pipermail/openafs-info/2006-March/021789.html
You may also be able to use ethereal, see http://www.ethereal.com/
a solaris 9 package might be here:
http://www.sunfreeware.com/programlistintel9.html

					-Marcus Watts



More information about the Kerberos mailing list