kadmin: GSS-API (or Kerberos) error

Anthony Ho jyho at abamon.com
Mon Jun 25 21:31:41 EDT 2007


Hi Guys,

Anyone got better ideas of solving this problem. I've been stuck to this
for quite some time now. 

One questions guys, is it important to use kadmin on remote machine?

As far as i know to add remote machine we must login to each machine and
do a kadmin to it in order to add them into the kdc's machine database.
Is that true? Correct me if im wrong. 

On Sat, 2007-06-23 at 10:22 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> I've tested the given solution but to no avail.
> 
> I did a strace on kadmin at the remote client and the following is the
> output of it.
> 
> [root at bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libss.so.2", O_RDONLY)       = 3
> open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
> open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
> open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
> open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> open("/lib/libresolv.so.2", O_RDONLY)   = 3
> open("/lib/libdl.so.2", O_RDONLY)       = 3
> open("/lib/libc.so.6", O_RDONLY)        = 3
> open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
> open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
> open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> = 3
> open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> = 4
> Authenticating as principal jyho/admin with password.
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
> open("/etc/resolv.conf", O_RDONLY)      = 5
> open("/etc/nsswitch.conf", O_RDONLY)    = 5
> open("/etc/ld.so.cache", O_RDONLY)      = 5
> open("/lib/libnss_files.so.2", O_RDONLY) = 5
> open("/etc/host.conf", O_RDONLY)        = 5
> open("/etc/hosts", O_RDONLY)            = 5
> open("/etc/ld.so.cache", O_RDONLY)      = 5
> open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
> open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> O_DIRECTORY) = 5
> open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
> open("/etc/ld.so.cache", O_RDONLY)      = 6
> open("/usr/lib/libssl3.so", O_RDONLY)   = 6
> open("/usr/lib/libsmime3.so", O_RDONLY) = 6
> open("/usr/lib/libnss3.so", O_RDONLY)   = 6
> open("/usr/lib/libplds4.so", O_RDONLY)  = 6
> open("/usr/lib/libplc4.so", O_RDONLY)   = 6
> open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
> open("/lib/libpthread.so.0", O_RDONLY)  = 6
> open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
> open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
> open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
> open("/dev/urandom", O_RDONLY)          = 5
> open("/dev/urandom", O_RDONLY)          = 5
> open("/etc/passwd", O_RDONLY)           = 5
> open("/tmp", O_RDONLY)                  = 5
> open("/var/tmp", O_RDONLY)              = 5
> open("/usr/tmp", O_RDONLY)              = 5
> --- SIGCHLD (Child exited) @ 0 (0) ---
> open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
> open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
> open("/etc/ld.so.cache", O_RDONLY)      = 7
> open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
> open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
> open("/usr/lib/libz.so.1", O_RDONLY)    = 7
> open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
> open("/lib/libm.so.6", O_RDONLY)        = 7
> open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
> open("/etc/ld.so.cache", O_RDONLY)      = 7
> open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
> open("/var/run/pcscd.pub", O_RDONLY)    = 7
> open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
> O_APPEND, 0700) = -1 EEXIST (File exists)
> open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
> open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
> or directory)
> open("/etc/localtime", O_RDONLY)        = 10
> open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> O_DIRECTORY) = -1 ENOENT (No such file or directory)
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> Password for jyho/admin at INTRA.FOOBAR.COM: 
> open("/etc/hosts", O_RDONLY)            = 10
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> Process 19676 detached
> ________________________________________________________________________
> 
> 
> 
> An during the execution of the command i did a tail
> -f /var/log/krb5kdc.log and the following output appears.
> 
> Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> 
> 
> 
> Am I missing something here guys or is it something else? Help needed
> guys. Thanks
> 
> 
> On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> > Erm, dunno if this will help you any. This is a straight copy/paste from
> > my Wiki, which may only apply to my domain, but it sounds about right;
> > 
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > 
> > This occurs when kadmin is attempting to talk to the KDC with the wrong
> > realm. Ussually this occurs if they client's default realm differs from
> > the KDCs realm.
> > 
> >       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> > 
> > Cheers,
> > ~Edward
> > 
> > On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > > Hi Guys,
> > > 
> > > This is my first email to this mailing list. I've encountered some issue
> > > with my kerberos implementation. I've already setup my kdc and i'm able
> > > to kinit and klist my tickets. The only problem left is that i'm unable
> > > to execute kadmin in remote client. Whenever i try to do that the
> > > following errors popped up.
> > > 
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > 
> > > 
> > > I'm actually connecting from my client pc bar.intra.foobar.com to
> > > foo.intra.foobar.com(kdc)
> > > 
> > > my current krb5.conf is
> > > 
> > > [logging]
> > >  default = FILE:/var/log/krb5libs.log
> > >  kdc = FILE:/var/log/krb5kdc.log
> > >  admin_server = FILE:/var/log/kadmind.log
> > > 
> > > [libdefaults]
> > >  default_realm = INTRA.FOOBAR.COM
> > >  dns_lookup_realm = false
> > >  dns_lookup_kdc = false
> > >  ticket_lifetime = 24h
> > >  forwardable = yes
> > > 
> > > [realms]
> > >  INTRA.FOOBAR.COM = {
> > >   kdc = kerberos1.intra.foobar.com:88
> > >   admin_server = kerberos1.intra.foobar.com:749
> > >   default_domain = intra.foobar.com
> > >  }
> > > 
> > > [domain_realm]
> > >  .intra.foobar.com = INTRA.FOOBAR.COM
> > >  intra.foobar.com = INTRA.FOOBAR.COM
> > > 
> > > [kdc]
> > >  profile = /var/kerberos/krb5kdc/kdc.conf
> > > 
> > > [appdefaults]
> > >  pam = {
> > >    debug = false
> > >    ticket_lifetime = 36000
> > >    renew_lifetime = 36000
> > >    forwardable = true
> > >    krb4_convert = false
> > >  }
> > > 
> > > *** NOTE ***	
> > > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > > 
> > > 
> > > my current kadm5.keytab is 
> > > 
> > > slot KVNO Principal
> > > ---- ----
> > > ---------------------------------------------------------------------
> > >    1    8            kadmin/admin at INTRA.FOOBAR.COM
> > >    2    8            kadmin/admin at INTRA.FOOBAR.COM
> > >    3    4         kadmin/changepw at INTRA.FOOBAR.COM
> > >    4    4         kadmin/changepw at INTRA.FOOBAR.COM
> > >    5    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > >    6    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > >    7    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > >    8    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > 
> > > 
> > > my current info on the jyho/admin principals
> > > 
> > > kadmin.local:  getprinc jyho/admin
> > > Principal: jyho/admin at INTRA.FOOBAR.COM
> > > Expiration date: [never]
> > > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > > Password expiration date: [none]
> > > Maximum ticket life: 1 day 00:00:00
> > > Maximum renewable life: 0 days 00:00:00
> > > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > > (root/admin at INTRA.FOOBAR.COM)
> > > Last successful authentication: [never]
> > > Last failed authentication: [never]
> > > Failed password attempts: 0
> > > Number of keys: 2
> > > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > > Key: vno 1, DES cbc mode with CRC-32, no salt
> > > Attributes:
> > > Policy: [none]
> > > 
> > > 
> > > 
> > > my /var/log/krb5kdc.log shows
> > > 
> > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > >         jyho/admin at INTRA.FOOBAR.COM for
> > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > >         jyho/admin at INTRA.FOOBAR.COM for
> > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > 
> > > 
> > > 
> > > 
> > > and my /var/log/kadmind.log shows
> > > 
> > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > >         Request: kadm5_get_principal,
> > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> > >         client=jyho/admin at INTRA.FOOBAR.COM,
> > >         service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> > >         addr=10.10.10.13
> > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > >         Request: kadm5_get_principal,
> > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> > >         client=jyho/admin at INTRA.FOOBAR.COM,
> > >         service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> > >         addr=10.10.10.13
> > >         
> > > 
> > > 
> > > *** NOTE ***
> > > Host/User	:	jyho
> > > Hostname	:	foo.intra.foobar.com
> > > Realm		:	INTRA.FOOBAR.COM
> > > 
> > > 
> > > 
> > > Any Ideas on this issue guys? thanks.
> > > 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
-- 
Regards,

Anthony Ho

System Administrator




More information about the Kerberos mailing list