kadmin: GSS-API (or Kerberos) error

Edward Murrell edward at murrell.co.nz
Thu Jun 21 00:41:42 EDT 2007


Erm, dunno if this will help you any. This is a straight copy/paste from
my Wiki, which may only apply to my domain, but it sounds about right;

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

This occurs when kadmin is attempting to talk to the KDC with the wrong
realm. Ussually this occurs if they client's default realm differs from
the KDCs realm.

      * Run kadmin with the -r REALM.EXAMPLE.COM flag.

Cheers,
~Edward

On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> This is my first email to this mailing list. I've encountered some issue
> with my kerberos implementation. I've already setup my kdc and i'm able
> to kinit and klist my tickets. The only problem left is that i'm unable
> to execute kadmin in remote client. Whenever i try to do that the
> following errors popped up.
> 
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> 
> 
> I'm actually connecting from my client pc bar.intra.foobar.com to
> foo.intra.foobar.com(kdc)
> 
> my current krb5.conf is
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = INTRA.FOOBAR.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  INTRA.FOOBAR.COM = {
>   kdc = kerberos1.intra.foobar.com:88
>   admin_server = kerberos1.intra.foobar.com:749
>   default_domain = intra.foobar.com
>  }
> 
> [domain_realm]
>  .intra.foobar.com = INTRA.FOOBAR.COM
>  intra.foobar.com = INTRA.FOOBAR.COM
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> *** NOTE ***	
> kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> 
> 
> my current kadm5.keytab is 
> 
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    8            kadmin/admin at INTRA.FOOBAR.COM
>    2    8            kadmin/admin at INTRA.FOOBAR.COM
>    3    4         kadmin/changepw at INTRA.FOOBAR.COM
>    4    4         kadmin/changepw at INTRA.FOOBAR.COM
>    5    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
>    6    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
>    7    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
>    8    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> 
> my current info on the jyho/admin principals
> 
> kadmin.local:  getprinc jyho/admin
> Principal: jyho/admin at INTRA.FOOBAR.COM
> Expiration date: [never]
> Last password change: Tue Jun 12 23:07:35 MYT 2007
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Tue Jun 12 23:07:35 MYT 2007
> (root/admin at INTRA.FOOBAR.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
> 
> 
> 
> my /var/log/krb5kdc.log shows
> 
>         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
>         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
>         1182426770, etypes {rep=16 tkt=16 ses=16},
>         jyho/admin at INTRA.FOOBAR.COM for
>         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
>         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
>         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
>         1182426770, etypes {rep=16 tkt=16 ses=16},
>         jyho/admin at INTRA.FOOBAR.COM for
>         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> 
> 
> 
> and my /var/log/kadmind.log shows
> 
>         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
>         Request: kadm5_get_principal,
>         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
>         client=jyho/admin at INTRA.FOOBAR.COM,
>         service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
>         addr=10.10.10.13
>         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
>         Request: kadm5_get_principal,
>         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
>         client=jyho/admin at INTRA.FOOBAR.COM,
>         service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
>         addr=10.10.10.13
>         
> 
> 
> *** NOTE ***
> Host/User	:	jyho
> Hostname	:	foo.intra.foobar.com
> Realm		:	INTRA.FOOBAR.COM
> 
> 
> 
> Any Ideas on this issue guys? thanks.
> 




More information about the Kerberos mailing list