remote kadmin fails

Vivien Mura vivien.mura at gmail.com
Fri Jun 24 05:35:28 EDT 2011


Hi Jeremy,

Thank you for your answer.
>From your point 4 ('If the entry for admin/fqdn2 is not in the keytab
admin.fqdn1, then copy the keytab admin.fqdn2 to your local system'), I
deduce that we can do cross realm authentication with kadmin. Is it right?


2011/6/24 Jeremy Hunt <jeremyh at optimation.com.au>

>
> Hi Matt or Vivien,
>
> There is not enough information here, however I did notice:
>
> 1. REALM2 would have to be defined with its servers in your configuration
> files on the machine you are running kadmin on. This is so the kadmin
> program knows which remote system the kadmin daemon is running on and so can
> attempt a connection.
> 2. If the configuration files are correct then the kadmin logs on the
> remote system may have some useful information. Your local machine would not
> be expected to log errors from a remote machine.
> 3. I am assuming admin/fqdn1 is the administration principal in REALM1. On
> the remote system I would expect the administration principal for REALM2 to
> be admin/fqdn2.
> 4. If the entry for admin/fqdn2 is not in the keytab admin.fqdn1, then copy
> the keytab admin.fqdn2 to your local system.
> 5. If there is a authentication failure, you might find an error in the kdc
> logs rather than the kadmin logs.
>
> So:
> 1. Check your configuration files are set up properly, you have to define
> both realms in them.
> 2. Check the kdc logs and the kadmin logs on your local and your remote
> masters.
> 3. Make sure you have the correct keytab files and entries.
> 4. Try this command after your configuration files and keytabs are correct:
>
> kadmin -kt /etc/keytabs/admin.fqdn2.**keytab -p admin/fqdn2 -r REALM2
>
> Good Luck,
>
> Jeremy
>
> Vivien Mura wrote:
>
>> Hello,
>>
>> we are running kerberos v1.8.1 and trying to run kadmin from REALM1 to
>> REALM2 by:
>>
>> *kadmin -kt /etc/keytabs/admin.fqdn1.**keytab -p admin/fqdn1 -r REALM2*
>>
>> but it doesn't work. The message in the console is:
>> *
>> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface*
>>
>> and there is no error in the kdc/kadmin log.
>> If we change "-r REALM2" by "-r REALM1", it works and we can administrate
>> local kdc.
>>
>> Can you help us please?
>>
>> Thank you,
>>
>> Matt
>> ______________________________**__________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/**mailman/listinfo/kerberos<https://mailman.mit.edu/mailman/listinfo/kerberos>
>>
>>
>



More information about the Kerberos mailing list