Cross Realm Administration?

Jeff draht jdraht at
Fri Jan 7 16:12:44 EST 2011

We are testing Single Signon;

I have a MS2008 KDC and AD server are one in the same, and a
Solaris_10 ldap Client in a SAP environment which we seem to have
partially kerberized. I can do a klist, klist -k and see my keytab...

single signon works for the most part, we can login and authenticate
against the AD Server.
We used the provided by SUN/Oracle to establish a Kerberos
Client Conenction.

I have even merged a few userid entries to the keytab. I can list them
out. klist -k

I can kinit userid w/o issue. All ldap client commands function just

I created the keytabs for one userid manually and the other I had the
PC team create using ktpass as per the Instructios on MS TechNet.  He
created a key and I merged in on the solaris machine. I can see the
entries just fine.

What I cannot do is make kadmin work so that I can do remote kerberos
administration or get the seam tool to authenticate?

When I run kadmin I get the following error;

We have a  default REALM, i just did not want to post it all over the

Authenticating as principal jdraht/admin at REALM with password.
kadmin: Client not found in Kerberos database while initializing
kadmin interface

When I run seam tool it populates 2 of 4 fields correctly and I add
jdraht/admin at REALM and the password I get "Client not found in
kerberos database?"

The PC Admins claim that all fields are correct, they show me
snapshots.  Also, they claim that the DC's replicated the info fine.

I am out of ideas?  I have been and am reading every blog, support doc
out there and am trying suggestions w/negres...

Sun helped with the LDAP, but claim that kerberos and AD is not their
area of expertise?

Also and this may be related, the SAP DBA's are trying to use SNC and
there seems to be an issue there?  Maybe a Library issue or related to
the above? Not sure yet? One problem at a time?

Has anyone gone thru this exercise?

If you have any suggestions? or can point me in a direction for
support, please advise?

Thanks, Jeff

More information about the Kerberos mailing list