kadmin: GSS-API (or Kerberos) error

Anthony Ho jyho at abamon.com
Thu Jun 21 00:20:47 EDT 2007


Hi Guys,

This is my first email to this mailing list. I've encountered some issue
with my kerberos implementation. I've already setup my kdc and i'm able
to kinit and klist my tickets. The only problem left is that i'm unable
to execute kadmin in remote client. Whenever i try to do that the
following errors popped up.

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface


I'm actually connecting from my client pc bar.intra.foobar.com to
foo.intra.foobar.com(kdc)

my current krb5.conf is

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INTRA.FOOBAR.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 INTRA.FOOBAR.COM = {
  kdc = kerberos1.intra.foobar.com:88
  admin_server = kerberos1.intra.foobar.com:749
  default_domain = intra.foobar.com
 }

[domain_realm]
 .intra.foobar.com = INTRA.FOOBAR.COM
 intra.foobar.com = INTRA.FOOBAR.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

*** NOTE ***	
kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com


my current kadm5.keytab is 

slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    8            kadmin/admin at INTRA.FOOBAR.COM
   2    8            kadmin/admin at INTRA.FOOBAR.COM
   3    4         kadmin/changepw at INTRA.FOOBAR.COM
   4    4         kadmin/changepw at INTRA.FOOBAR.COM
   5    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
   6    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
   7    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
   8    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM


my current info on the jyho/admin principals

kadmin.local:  getprinc jyho/admin
Principal: jyho/admin at INTRA.FOOBAR.COM
Expiration date: [never]
Last password change: Tue Jun 12 23:07:35 MYT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Jun 12 23:07:35 MYT 2007
(root/admin at INTRA.FOOBAR.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]



my /var/log/krb5kdc.log shows

        Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
        (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
        1182426770, etypes {rep=16 tkt=16 ses=16},
        jyho/admin at INTRA.FOOBAR.COM for
        kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
        Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
        (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
        1182426770, etypes {rep=16 tkt=16 ses=16},
        jyho/admin at INTRA.FOOBAR.COM for
        kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM




and my /var/log/kadmind.log shows

        Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
        Request: kadm5_get_principal,
        kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
        client=jyho/admin at INTRA.FOOBAR.COM,
        service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
        addr=10.10.10.13
        Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
        Request: kadm5_get_principal,
        kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
        client=jyho/admin at INTRA.FOOBAR.COM,
        service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
        addr=10.10.10.13
        


*** NOTE ***
Host/User	:	jyho
Hostname	:	foo.intra.foobar.com
Realm		:	INTRA.FOOBAR.COM



Any Ideas on this issue guys? thanks.

-- 
Regards,

Anthony Ho

System Administrator






More information about the Kerberos mailing list