kadmin: GSS-API (or Kerberos) error
Sadique Puthen
xenguy at gmail.com
Thu Jul 5 12:18:38 EDT 2007
Make sure that the client and server is in sync with a time server.
Anthony Ho wrote:
> Hi Guys,
>
> This is my first email to this mailing list. I've encountered some issue
> with my kerberos implementation. I've already setup my kdc and i'm able
> to kinit and klist my tickets. The only problem left is that i'm unable
> to execute kadmin in remote client. Whenever i try to do that the
> following errors popped up.
>
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
>
>
> I'm actually connecting from my client pc bar.intra.foobar.com to
> foo.intra.foobar.com(kdc)
>
> my current krb5.conf is
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = INTRA.FOOBAR.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> INTRA.FOOBAR.COM = {
> kdc = kerberos1.intra.foobar.com:88
> admin_server = kerberos1.intra.foobar.com:749
> default_domain = intra.foobar.com
> }
>
> [domain_realm]
> .intra.foobar.com = INTRA.FOOBAR.COM
> intra.foobar.com = INTRA.FOOBAR.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> *** NOTE ***
> kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
>
>
> my current kadm5.keytab is
>
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 8 kadmin/admin at INTRA.FOOBAR.COM
> 2 8 kadmin/admin at INTRA.FOOBAR.COM
> 3 4 kadmin/changepw at INTRA.FOOBAR.COM
> 4 4 kadmin/changepw at INTRA.FOOBAR.COM
> 5 3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 6 3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 7 4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 8 4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
>
>
> my current info on the jyho/admin principals
>
> kadmin.local: getprinc jyho/admin
> Principal: jyho/admin at INTRA.FOOBAR.COM
> Expiration date: [never]
> Last password change: Tue Jun 12 23:07:35 MYT 2007
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Tue Jun 12 23:07:35 MYT 2007
> (root/admin at INTRA.FOOBAR.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
>
>
> my /var/log/krb5kdc.log shows
>
> Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> 1182426770, etypes {rep=16 tkt=16 ses=16},
> jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> 1182426770, etypes {rep=16 tkt=16 ses=16},
> jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
>
>
>
>
> and my /var/log/kadmind.log shows
>
> Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> Request: kadm5_get_principal,
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> client=jyho/admin at INTRA.FOOBAR.COM,
> service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> addr=10.10.10.13
> Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> Request: kadm5_get_principal,
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> client=jyho/admin at INTRA.FOOBAR.COM,
> service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> addr=10.10.10.13
>
>
>
> *** NOTE ***
> Host/User : jyho
> Hostname : foo.intra.foobar.com
> Realm : INTRA.FOOBAR.COM
>
>
>
> Any Ideas on this issue guys? thanks.
>
>
More information about the Kerberos
mailing list