Cannot initialize GSS-API authentication, failing.
Jeff Blaine
jblaine at kickflop.net
Wed Jan 24 22:34:00 EST 2007
Figured it out. Just had to clear the maintenance
state for kadmin (rolls eyes at self).
Jeff Blaine wrote:
> This doesn't look too promising. Any help, again, would
> be greatly appreciated.
>
> Solaris 10 6/06 release. Setting up a master KDC from scratch.
>
> ====================================================================
> See further down for spammy kadmin.local set up output that
> was generated seconds before the following:
>
> bash-3.00# svcadm enable -r network/security/krb5kdc
> bash-3.00# svcs -l krb5kdc
> fmri svc:/network/security/krb5kdc:default
> name Kerberos key distribution center
> enabled true
> state online <-------------- good
> next_state none
> state_time Wed Jan 24 21:29:00 2007
> logfile /var/svc/log/network-security-krb5kdc:default.log
> restarter svc:/system/svc/restarter:default
> contract_id 100
> dependency require_all/error svc:/network/dns/client (online)
> bash-3.00# svcadm enable -r network/security/kadmin
> bash-3.00# svcs -l kadmin
> fmri svc:/network/security/kadmin:default
> name Kerberos administration daemon
> enabled true
> state maintenance <-------------- bad
> next_state none
> state_time Wed Jan 24 21:29:19 2007
> logfile /var/svc/log/network-security-kadmin:default.log
> restarter svc:/system/svc/restarter:default
> contract_id
> dependency require_all/error svc:/network/dns/client (online)
> bash-3.00#
> ====================================================================
> bash-3.00# /usr/sbin/kadmin -p jblaine/admin
> Authenticating as principal jblaine/admin at JBTEST with password.
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> ====================================================================
> bash-3.00# kinit -p jblaine/admin
> Password for jblaine/admin at JBTEST:
> bash-3.00# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jblaine/admin at JBTEST
>
> Valid starting Expires Service principal
> 01/24/07 21:29:58 01/25/07 21:29:58 krbtgt/JBTEST at JBTEST
> renew until 01/31/07 21:29:58
> bash-3.00#
> ====================================================================
> /var/adm/kadmin.log has this useful message repeating:
>
> Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize
> GSS-API authentication, failing.
> ====================================================================
> For what it's worth, here are the set up commands I entered
> seconds BEFORE what you see in the screen pastes that start
> this email:
>
> bash-3.00# kadmin.local
> Authenticating as principal root/admin at JBTEST with password.
> kadmin.local: addprinc jblaine/admin
> WARNING: no policy specified for jblaine/admin at JBTEST; defaulting to no
> policy
> Enter password for principal "jblaine/admin at JBTEST":
> Re-enter password for principal "jblaine/admin at JBTEST":
> Principal "jblaine/admin at JBTEST" created.
> kadmin.local: addprinc -randkey kiprop/mega1.mitre.org
> WARNING: no policy specified for kiprop/mega1.mitre.org at JBTEST;
> defaulting to no policy
> Principal "kiprop/mega1.mitre.org at JBTEST" created.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type DES cbc mode with RSA-MD5 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
> Entry for principal kadmin/changepw with kvno 3, encryption type AES-128
> CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type Triple
> DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
> with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc
> mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: quit
> bash-3.00#
> ====================================================================
> I am following this document. Yeah, it's Solaris Kerberos. But
> it's MIT Kerberos too.
>
> http://docs.sun.com/app/docs/doc/816-4557/6maosrjl2?a=view
>
More information about the Kerberos
mailing list