kadmin: GSS-API (or Kerberos) error

Edward Murrell edward at murrell.co.nz
Mon Jun 25 22:06:16 EDT 2007


Hi Anthony,

Unfortunately, I don't have access to the a working Kerberos environment
where I first came across the error, so going from memory - try
specifying everything, eg;

kadmin -p jyho/admin at INTRA.FOOBAR.COM -s foo.intra.foobar.com \
-r INTRA.FOOBAR.COM

Hm, actually, looking at the previous example, you may just need to add
the @INTRA.FOOBAR.COM to the -p argument.

For the second question, it's entirely possibly to generate keys for one
machine on another and then copy them (using a secure method!) via
something like scp to another machine. The trick is simply to use the -k
argument in kadmin, like so;

ktadd -k /home/jyho/bar.keytab host/bar.intra.foobar.com

These days, I've got a very simple Kerberos setup, so I can't really
shed much light I'm afraid...

Cheers,
~Edward Murrell

On Tue, 2007-06-26 at 09:31 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> Anyone got better ideas of solving this problem. I've been stuck to this
> for quite some time now. 
> 
> One questions guys, is it important to use kadmin on remote machine?
> 
> As far as i know to add remote machine we must login to each machine and
> do a kadmin to it in order to add them into the kdc's machine database.
> Is that true? Correct me if im wrong. 
> 
> On Sat, 2007-06-23 at 10:22 +0800, Anthony Ho wrote:
> > Hi Guys,
> > 
> > I've tested the given solution but to no avail.
> > 
> > I did a strace on kadmin at the remote client and the following is the
> > output of it.
> > 
> > [root at bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
> > open("/etc/ld.so.cache", O_RDONLY)      = 3
> > open("/lib/libss.so.2", O_RDONLY)       = 3
> > open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
> > open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
> > open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
> > open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> > open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> > open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> > open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> > open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> > open("/lib/libresolv.so.2", O_RDONLY)   = 3
> > open("/lib/libdl.so.2", O_RDONLY)       = 3
> > open("/lib/libc.so.6", O_RDONLY)        = 3
> > open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
> > open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
> > open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> > = 3
> > open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> > = 4
> > Authenticating as principal jyho/admin with password.
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
> > open("/etc/resolv.conf", O_RDONLY)      = 5
> > open("/etc/nsswitch.conf", O_RDONLY)    = 5
> > open("/etc/ld.so.cache", O_RDONLY)      = 5
> > open("/lib/libnss_files.so.2", O_RDONLY) = 5
> > open("/etc/host.conf", O_RDONLY)        = 5
> > open("/etc/hosts", O_RDONLY)            = 5
> > open("/etc/ld.so.cache", O_RDONLY)      = 5
> > open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
> > open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> > O_DIRECTORY) = 5
> > open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)      = 6
> > open("/usr/lib/libssl3.so", O_RDONLY)   = 6
> > open("/usr/lib/libsmime3.so", O_RDONLY) = 6
> > open("/usr/lib/libnss3.so", O_RDONLY)   = 6
> > open("/usr/lib/libplds4.so", O_RDONLY)  = 6
> > open("/usr/lib/libplc4.so", O_RDONLY)   = 6
> > open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
> > open("/lib/libpthread.so.0", O_RDONLY)  = 6
> > open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
> > open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
> > open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
> > open("/dev/urandom", O_RDONLY)          = 5
> > open("/dev/urandom", O_RDONLY)          = 5
> > open("/etc/passwd", O_RDONLY)           = 5
> > open("/tmp", O_RDONLY)                  = 5
> > open("/var/tmp", O_RDONLY)              = 5
> > open("/usr/tmp", O_RDONLY)              = 5
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
> > open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)      = 7
> > open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
> > open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
> > open("/usr/lib/libz.so.1", O_RDONLY)    = 7
> > open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
> > open("/lib/libm.so.6", O_RDONLY)        = 7
> > open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
> > open("/etc/ld.so.cache", O_RDONLY)      = 7
> > open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
> > open("/var/run/pcscd.pub", O_RDONLY)    = 7
> > open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
> > O_APPEND, 0700) = -1 EEXIST (File exists)
> > open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
> > open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
> > or directory)
> > open("/etc/localtime", O_RDONLY)        = 10
> > open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> > O_DIRECTORY) = -1 ENOENT (No such file or directory)
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > Password for jyho/admin at INTRA.FOOBAR.COM: 
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > Process 19676 detached
> > ________________________________________________________________________
> > 
> > 
> > 
> > An during the execution of the command i did a tail
> > -f /var/log/krb5kdc.log and the following output appears.
> > 
> > Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 
> > Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin at INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > 
> > 
> > 
> > Am I missing something here guys or is it something else? Help needed
> > guys. Thanks
> > 
> > 
> > On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> > > Erm, dunno if this will help you any. This is a straight copy/paste from
> > > my Wiki, which may only apply to my domain, but it sounds about right;
> > > 
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > 
> > > This occurs when kadmin is attempting to talk to the KDC with the wrong
> > > realm. Ussually this occurs if they client's default realm differs from
> > > the KDCs realm.
> > > 
> > >       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> > > 
> > > Cheers,
> > > ~Edward
> > > 
> > > On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > > > Hi Guys,
> > > > 
> > > > This is my first email to this mailing list. I've encountered some issue
> > > > with my kerberos implementation. I've already setup my kdc and i'm able
> > > > to kinit and klist my tickets. The only problem left is that i'm unable
> > > > to execute kadmin in remote client. Whenever i try to do that the
> > > > following errors popped up.
> > > > 
> > > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > > 
> > > > 
> > > > I'm actually connecting from my client pc bar.intra.foobar.com to
> > > > foo.intra.foobar.com(kdc)
> > > > 
> > > > my current krb5.conf is
> > > > 
> > > > [logging]
> > > >  default = FILE:/var/log/krb5libs.log
> > > >  kdc = FILE:/var/log/krb5kdc.log
> > > >  admin_server = FILE:/var/log/kadmind.log
> > > > 
> > > > [libdefaults]
> > > >  default_realm = INTRA.FOOBAR.COM
> > > >  dns_lookup_realm = false
> > > >  dns_lookup_kdc = false
> > > >  ticket_lifetime = 24h
> > > >  forwardable = yes
> > > > 
> > > > [realms]
> > > >  INTRA.FOOBAR.COM = {
> > > >   kdc = kerberos1.intra.foobar.com:88
> > > >   admin_server = kerberos1.intra.foobar.com:749
> > > >   default_domain = intra.foobar.com
> > > >  }
> > > > 
> > > > [domain_realm]
> > > >  .intra.foobar.com = INTRA.FOOBAR.COM
> > > >  intra.foobar.com = INTRA.FOOBAR.COM
> > > > 
> > > > [kdc]
> > > >  profile = /var/kerberos/krb5kdc/kdc.conf
> > > > 
> > > > [appdefaults]
> > > >  pam = {
> > > >    debug = false
> > > >    ticket_lifetime = 36000
> > > >    renew_lifetime = 36000
> > > >    forwardable = true
> > > >    krb4_convert = false
> > > >  }
> > > > 
> > > > *** NOTE ***	
> > > > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > > > 
> > > > 
> > > > my current kadm5.keytab is 
> > > > 
> > > > slot KVNO Principal
> > > > ---- ----
> > > > ---------------------------------------------------------------------
> > > >    1    8            kadmin/admin at INTRA.FOOBAR.COM
> > > >    2    8            kadmin/admin at INTRA.FOOBAR.COM
> > > >    3    4         kadmin/changepw at INTRA.FOOBAR.COM
> > > >    4    4         kadmin/changepw at INTRA.FOOBAR.COM
> > > >    5    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > >    6    3 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > >    7    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > >    8    4 kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > my current info on the jyho/admin principals
> > > > 
> > > > kadmin.local:  getprinc jyho/admin
> > > > Principal: jyho/admin at INTRA.FOOBAR.COM
> > > > Expiration date: [never]
> > > > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > > > Password expiration date: [none]
> > > > Maximum ticket life: 1 day 00:00:00
> > > > Maximum renewable life: 0 days 00:00:00
> > > > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > > > (root/admin at INTRA.FOOBAR.COM)
> > > > Last successful authentication: [never]
> > > > Last failed authentication: [never]
> > > > Failed password attempts: 0
> > > > Number of keys: 2
> > > > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > > > Key: vno 1, DES cbc mode with CRC-32, no salt
> > > > Attributes:
> > > > Policy: [none]
> > > > 
> > > > 
> > > > 
> > > > my /var/log/krb5kdc.log shows
> > > > 
> > > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > > >         jyho/admin at INTRA.FOOBAR.COM for
> > > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > > >         jyho/admin at INTRA.FOOBAR.COM for
> > > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > 
> > > > 
> > > > and my /var/log/kadmind.log shows
> > > > 
> > > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > > >         Request: kadm5_get_principal,
> > > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> > > >         client=jyho/admin at INTRA.FOOBAR.COM,
> > > >         service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> > > >         addr=10.10.10.13
> > > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > > >         Request: kadm5_get_principal,
> > > >         kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM, success,
> > > >         client=jyho/admin at INTRA.FOOBAR.COM,
> > > >         service=kadmin/foo.intra.foobar.com at INTRA.FOOBAR.COM,
> > > >         addr=10.10.10.13
> > > >         
> > > > 
> > > > 
> > > > *** NOTE ***
> > > > Host/User	:	jyho
> > > > Hostname	:	foo.intra.foobar.com
> > > > Realm		:	INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > 
> > > > Any Ideas on this issue guys? thanks.
> > > > 
> > > 
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > 




More information about the Kerberos mailing list