Cannot initialize GSS-API authentication, failing.

Edward Murrell edward at dlconsulting.com
Wed Jan 24 21:53:06 EST 2007 

I don't know if this exactly the error (since I'm running all MIT on
Linux here), but my Wiki showed had the following entry;

Error: kadmin: GSS-API (or Kerberos) error while initializing kadmin
interface

This occurs when kadmin is attempting to talk to the KDC with the wrong
realm. Ussually this occurs if they client's default realm differs from
the KDCs realm.

* Run kadmin with the -r REALM.EXAMPLE.COM flag.

I do remember at one point I had to run something like the following to
get things to work;
kadmin -r MYREALM.COM -s server.full.domain.com -p edward/admin at MYREALM.COM

Hope this helps! Let us know how you get on.

Regards
Edward Murrell


Jeff Blaine wrote:
> This doesn't look too promising.  Any help, again, would
> be greatly appreciated.
>
> Solaris 10 6/06 release.  Setting up a master KDC from scratch.
>
> ====================================================================
> See further down for spammy kadmin.local set up output that
> was generated seconds before the following:
>
> bash-3.00# svcadm enable -r network/security/krb5kdc
> bash-3.00# svcs -l krb5kdc
> fmri         svc:/network/security/krb5kdc:default
> name         Kerberos key distribution center
> enabled      true
> state        online       <-------------- good
> next_state   none
> state_time   Wed Jan 24 21:29:00 2007
> logfile      /var/svc/log/network-security-krb5kdc:default.log
> restarter    svc:/system/svc/restarter:default
> contract_id  100
> dependency   require_all/error svc:/network/dns/client (online)
> bash-3.00# svcadm enable -r network/security/kadmin
> bash-3.00# svcs -l kadmin
> fmri         svc:/network/security/kadmin:default
> name         Kerberos administration daemon
> enabled      true
> state        maintenance   <-------------- bad
> next_state   none
> state_time   Wed Jan 24 21:29:19 2007
> logfile      /var/svc/log/network-security-kadmin:default.log
> restarter    svc:/system/svc/restarter:default
> contract_id
> dependency   require_all/error svc:/network/dns/client (online)
> bash-3.00#
> ====================================================================
> bash-3.00# /usr/sbin/kadmin -p jblaine/admin
> Authenticating as principal jblaine/admin at JBTEST with password.
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> ====================================================================
> bash-3.00# kinit -p jblaine/admin
> Password for jblaine/admin at JBTEST:
> bash-3.00# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jblaine/admin at JBTEST
>
> Valid starting                Expires                Service principal
> 01/24/07 21:29:58  01/25/07 21:29:58  krbtgt/JBTEST at JBTEST
>          renew until 01/31/07 21:29:58
> bash-3.00#
> ====================================================================
> /var/adm/kadmin.log has this useful message repeating:
>
> Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize 
> GSS-API authentication, failing.
> ====================================================================
> For what it's worth, here are the set up commands I entered
> seconds BEFORE what you see in the screen pastes that start
> this email:
>
> bash-3.00# kadmin.local
> Authenticating as principal root/admin at JBTEST with password.
> kadmin.local:  addprinc jblaine/admin
> WARNING: no policy specified for jblaine/admin at JBTEST; defaulting to no 
> policy
> Enter password for principal "jblaine/admin at JBTEST":
> Re-enter password for principal "jblaine/admin at JBTEST":
> Principal "jblaine/admin at JBTEST" created.
> kadmin.local:  addprinc -randkey kiprop/mega1.mitre.org
> WARNING: no policy specified for kiprop/mega1.mitre.org at JBTEST; 
> defaulting to no policy
> Principal "kiprop/mega1.mitre.org at JBTEST" created.
> kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
> AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
> Triple DES cbc mode with HMAC/sha1 added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
> ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
> DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
> type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
> type Triple DES cbc mode with HMAC/sha1 added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
> type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
> type DES cbc mode with RSA-MD5 added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
> Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 
> CTS mode with 96-bit SHA-1 HMAC added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type Triple 
> DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour 
> with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc 
> mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
> AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
> Triple DES cbc mode with HMAC/sha1 added to keytab 
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
> ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
> DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local:  quit
> bash-3.00#
> ====================================================================
> I am following this document.  Yeah, it's Solaris Kerberos.  But
> it's MIT Kerberos too.
>
> http://docs.sun.com/app/docs/doc/816-4557/6maosrjl2?a=view
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list