remote kadmin fails

Jeremy Hunt jeremyh at optimation.com.au
Thu Jun 23 21:06:03 EDT 2011


Hi Matt or Vivien,

There is not enough information here, however I did notice:

1. REALM2 would have to be defined with its servers in your configuration files on the machine you are running kadmin on. This is so the kadmin program knows which remote system the kadmin daemon is running on and so can attempt a connection.
2. If the configuration files are correct then the kadmin logs on the remote system may have some useful information. Your local machine would not be expected to log errors from a remote machine.
3. I am assuming admin/fqdn1 is the administration principal in REALM1. On the remote system I would expect the administration principal for REALM2 to be admin/fqdn2.
4. If the entry for admin/fqdn2 is not in the keytab admin.fqdn1, then copy the keytab admin.fqdn2 to your local system.
5. If there is a authentication failure, you might find an error in the kdc logs rather than the kadmin logs.

So:
1. Check your configuration files are set up properly, you have to define both realms in them.
2. Check the kdc logs and the kadmin logs on your local and your remote masters.
3. Make sure you have the correct keytab files and entries.
4. Try this command after your configuration files and keytabs are correct:

kadmin -kt /etc/keytabs/admin.fqdn2.keytab -p admin/fqdn2 -r REALM2

Good Luck,

Jeremy

Vivien Mura wrote:
> Hello,
>
> we are running kerberos v1.8.1 and trying to run kadmin from REALM1 to
> REALM2 by:
>
> *kadmin -kt /etc/keytabs/admin.fqdn1.keytab -p admin/fqdn1 -r REALM2*
>
> but it doesn't work. The message in the console is:
> *
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface*
>
> and there is no error in the kdc/kadmin log.
> If we change "-r REALM2" by "-r REALM1", it works and we can administrate
> local kdc.
>
> Can you help us please?
>
> Thank you,
>
> Matt
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list