kadmin: GSS-API (or Kerberos) error
Anthony Ho
jyho at abamon.com
Thu Jun 21 00:20:47 EDT 2007
Hi Guys,
This is my first email to this mailing list. I've encountered some issue
with my kerberos implementation. I've already setup my kdc and i'm able
to kinit and klist my tickets. The only problem left is that i'm unable
to execute kadmin in remote client. Whenever i try to do that the
following errors popped up.
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
I'm actually connecting from my client pc bar.intra.foobar.com to
foo.intra.foobar.com(kdc)
my current krb5.conf is
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = INTRA.FOOBAR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
INTRA.FOOBAR.COM = {
kdc = kerberos1.intra.foobar.com:88
admin_server = kerberos1.intra.foobar.com:749
default_domain = intra.foobar.com
}
[domain_realm]
.intra.foobar.com = INTRA.FOOBAR.COM
intra.foobar.com = INTRA.FOOBAR.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
*** NOTE ***
kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
my current kadm5.keytab is
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 8 kadmin/admin at INTRA.FOOBAR.COM
2 8 kadmin/admin at INTRA.FOOBAR.COM
3 4 kadmin/changepw at INTRA.FOOBAR.COM
4 4 kadmin/changepw at INTRA.FOOBAR.COM
5 3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
6 3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
7 4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
8 4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
my current info on the jyho/admin principals
kadmin.local: getprinc jyho/admin
Principal: jyho/admin at INTRA.FOOBAR.COM
Expiration date: [never]
Last password change: Tue Jun 12 23:07:35 MYT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Jun 12 23:07:35 MYT 2007
(root/admin at INTRA.FOOBAR.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
my /var/log/krb5kdc.log shows
Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
(7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
1182426770, etypes {rep=16 tkt=16 ses=16},
jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
(7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
1182426770, etypes {rep=16 tkt=16 ses=16},
jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
and my /var/log/kadmind.log shows
Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
Request: kadm5_get_principal,
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
client=jyho/admin at INTRA.FOOBAR.COM,
service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
addr=10.10.10.13
Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
Request: kadm5_get_principal,
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
client=jyho/admin at INTRA.FOOBAR.COM,
service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
addr=10.10.10.13
*** NOTE ***
Host/User : jyho
Hostname : foo.intra.foobar.com
Realm : INTRA.FOOBAR.COM
Any Ideas on this issue guys? thanks.
--
Regards,
Anthony Ho
System Administrator
More information about the Kerberos
mailing list