kadmin: GSS-API (or Kerberos) error
Anthony Ho
jyho at abamon.com
Fri Jun 22 22:22:24 EDT 2007
Hi Guys,
I've tested the given solution but to no avail.
I did a strace on kadmin at the remote client and the following is the
output of it.
[root at bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libss.so.2", O_RDONLY) = 3
open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
open("/lib/libcom_err.so.2", O_RDONLY) = 3
open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
open("/lib/libresolv.so.2", O_RDONLY) = 3
open("/lib/libdl.so.2", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY) = 3
open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
= 3
open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
= 4
Authenticating as principal jyho/admin with password.
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
open("/etc/resolv.conf", O_RDONLY) = 5
open("/etc/nsswitch.conf", O_RDONLY) = 5
open("/etc/ld.so.cache", O_RDONLY) = 5
open("/lib/libnss_files.so.2", O_RDONLY) = 5
open("/etc/host.conf", O_RDONLY) = 5
open("/etc/hosts", O_RDONLY) = 5
open("/etc/ld.so.cache", O_RDONLY) = 5
open("/lib/libnss_dns.so.2", O_RDONLY) = 5
open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = 5
open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
open("/etc/ld.so.cache", O_RDONLY) = 6
open("/usr/lib/libssl3.so", O_RDONLY) = 6
open("/usr/lib/libsmime3.so", O_RDONLY) = 6
open("/usr/lib/libnss3.so", O_RDONLY) = 6
open("/usr/lib/libplds4.so", O_RDONLY) = 6
open("/usr/lib/libplc4.so", O_RDONLY) = 6
open("/usr/lib/libnspr4.so", O_RDONLY) = 6
open("/lib/libpthread.so.0", O_RDONLY) = 6
open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
open("/dev/urandom", O_RDONLY) = 5
open("/dev/urandom", O_RDONLY) = 5
open("/etc/passwd", O_RDONLY) = 5
open("/tmp", O_RDONLY) = 5
open("/var/tmp", O_RDONLY) = 5
open("/usr/tmp", O_RDONLY) = 5
--- SIGCHLD (Child exited) @ 0 (0) ---
open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
open("/etc/ld.so.cache", O_RDONLY) = 7
open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
open("/usr/lib/libz.so.1", O_RDONLY) = 7
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
open("/lib/libm.so.6", O_RDONLY) = 7
open("/lib/libgcc_s.so.1", O_RDONLY) = 7
open("/etc/ld.so.cache", O_RDONLY) = 7
open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
open("/var/run/pcscd.pub", O_RDONLY) = 7
open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
O_APPEND, 0700) = -1 EEXIST (File exists)
open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
or directory)
open("/etc/localtime", O_RDONLY) = 10
open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = -1 ENOENT (No such file or directory)
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
open("/etc/hosts", O_RDONLY) = 10
Password for jyho/admin at INTRA.FOOBAR.COM:
open("/etc/hosts", O_RDONLY) = 10
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Process 19676 detached
________________________________________________________________________
An during the execution of the command i did a tail
-f /var/log/krb5kdc.log and the following output appears.
Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
Am I missing something here guys or is it something else? Help needed
guys. Thanks
On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> Erm, dunno if this will help you any. This is a straight copy/paste from
> my Wiki, which may only apply to my domain, but it sounds about right;
>
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
>
> This occurs when kadmin is attempting to talk to the KDC with the wrong
> realm. Ussually this occurs if they client's default realm differs from
> the KDCs realm.
>
> * Run kadmin with the -r REALM.EXAMPLE.COM flag.
>
> Cheers,
> ~Edward
>
> On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > Hi Guys,
> >
> > This is my first email to this mailing list. I've encountered some issue
> > with my kerberos implementation. I've already setup my kdc and i'm able
> > to kinit and klist my tickets. The only problem left is that i'm unable
> > to execute kadmin in remote client. Whenever i try to do that the
> > following errors popped up.
> >
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> >
> >
> > I'm actually connecting from my client pc bar.intra.foobar.com to
> > foo.intra.foobar.com(kdc)
> >
> > my current krb5.conf is
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = INTRA.FOOBAR.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [realms]
> > INTRA.FOOBAR.COM = {
> > kdc = kerberos1.intra.foobar.com:88
> > admin_server = kerberos1.intra.foobar.com:749
> > default_domain = intra.foobar.com
> > }
> >
> > [domain_realm]
> > .intra.foobar.com = INTRA.FOOBAR.COM
> > intra.foobar.com = INTRA.FOOBAR.COM
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > [appdefaults]
> > pam = {
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> > }
> >
> > *** NOTE ***
> > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> >
> >
> > my current kadm5.keytab is
> >
> > slot KVNO Principal
> > ---- ----
> > ---------------------------------------------------------------------
> > 1 8 kadmin/admin at INTRA.FOOBAR.COM
> > 2 8 kadmin/admin at INTRA.FOOBAR.COM
> > 3 4 kadmin/changepw at INTRA.FOOBAR.COM
> > 4 4 kadmin/changepw at INTRA.FOOBAR.COM
> > 5 3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 6 3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 7 4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 8 4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> >
> >
> > my current info on the jyho/admin principals
> >
> > kadmin.local: getprinc jyho/admin
> > Principal: jyho/admin at INTRA.FOOBAR.COM
> > Expiration date: [never]
> > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > Password expiration date: [none]
> > Maximum ticket life: 1 day 00:00:00
> > Maximum renewable life: 0 days 00:00:00
> > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > (root/admin at INTRA.FOOBAR.COM)
> > Last successful authentication: [never]
> > Last failed authentication: [never]
> > Failed password attempts: 0
> > Number of keys: 2
> > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > Key: vno 1, DES cbc mode with CRC-32, no salt
> > Attributes:
> > Policy: [none]
> >
> >
> >
> > my /var/log/krb5kdc.log shows
> >
> > Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > 1182426770, etypes {rep=16 tkt=16 ses=16},
> > jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > 1182426770, etypes {rep=16 tkt=16 ses=16},
> > jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> >
> >
> >
> >
> > and my /var/log/kadmind.log shows
> >
> > Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > Request: kadm5_get_principal,
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> > client=jyho/admin at INTRA.FOOBAR.COM,
> > service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> > addr=10.10.10.13
> > Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > Request: kadm5_get_principal,
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> > client=jyho/admin at INTRA.FOOBAR.COM,
> > service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> > addr=10.10.10.13
> >
> >
> >
> > *** NOTE ***
> > Host/User : jyho
> > Hostname : foo.intra.foobar.com
> > Realm : INTRA.FOOBAR.COM
> >
> >
> >
> > Any Ideas on this issue guys? thanks.
> >
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Regards,
Anthony Ho
System Administrator
More information about the Kerberos
mailing list