remote kadmin fails

Jeremy Hunt jeremyh at optimation.com.au
Sun Jun 26 20:31:56 EDT 2011


   Hi people (I am not too sure who I am talking to, probably Matt),
   I don't think what I described was cross-realm authentication. It is
   more like running a client program to connect to a remote server.
   kadmin is a client program. With my suggested arguments you are
   telling the kadmin program to use a kerberos domain (or realm if you
   prefer), and you are telling it to use a kerberos principal and a
   specific key table file. As a client program it will read your
   krb5.conf file and lookup the admin server for that realm (or domain
   if you prefer that term) and it will look for the named principal's
   key in the specified key table file. If all is correctly configured it
   should connect to the port kadmind is using on the remote machine,
   using the realm the remote machine administers and using the correct
   key with a matching principal name to authenticate itself.
   Under those conditions you could use the kadmin client program on a
   machine that did not otherwise have kerberos installed. I see it as
   using a mail client like 'seabird' to connect to a gmail.com account,
   most people can do that whatever internet domain they are running the
   mail client on.
   I think cross-realm authentication is a little trickier than what I
   describe and what I thought you were attempting. Do you need
   cross-realm authentication and if so why? If all you want to do is
   administer a remote system then I do not think it is worth the
   trouble. If you have to link the two realms for some reason other than
   you want to administer them from the same machine, then you would
   consider it.
   I hope this clarifies things,
   Jeremy Hunt
   PS: Note that in my first reply I purposefully used a different keytab
   file for the remote realm because I don't think there is a way to
   export the key into a file without generating a new version number.
   Without looking at the code or more simply testing I cannot guarantee
   that joining two keytab files with something like 'cat' will work.
   PPS: I also note there is a '-s' argument to the kadmin program. This
   defines both the remote server machine and the kadmind port. so you
   might not even need your configuration file set up correctly for it to
   work. Try it. :)
   [1]tartarapoint at gmail.com wrote:

     Hi Jeremy,
     Thank you for your answer.
     From your point 4 ('If the entry for admin/fqdn2 is not in the
     keytab admin.fqdn1, then copy the keytab admin.fqdn2 to your local
     system'), I deduce that we can do cross realm authentication with
     kadmin. Is it right?

   2011/6/24 Jeremy Hunt <[2]jeremyh at optimation.com.au>

     Hi Matt or Vivien,
     There is not enough information here, however I did notice:
     1. REALM2 would have to be defined with its servers in your
     configuration files on the machine you are running kadmin on. This
     is so the kadmin program knows which remote system the kadmin
     daemon is running on and so can attempt a connection.
     2. If the configuration files are correct then the kadmin logs on
     the remote system may have some useful information. Your local
     machine would not be expected to log errors from a remote machine.
     3. I am assuming admin/fqdn1 is the administration principal in
     REALM1. On the remote system I would expect the administration
     principal for REALM2 to be admin/fqdn2.
     4. If the entry for admin/fqdn2 is not in the keytab admin.fqdn1,
     then copy the keytab admin.fqdn2 to your local system.
     5. If there is a authentication failure, you might find an error in
     the kdc logs rather than the kadmin logs.
     So:
     1. Check your configuration files are set up properly, you have to
     define both realms in them.
     2. Check the kdc logs and the kadmin logs on your local and your
     remote masters.
     3. Make sure you have the correct keytab files and entries.
     4. Try this command after your configuration files and keytabs are
     correct:
     kadmin -kt /etc/keytabs/admin.fqdn2.keytab -p admin/fqdn2 -r REALM2
     Good Luck,
     Jeremy
      V wrote:

   Hello,
   we are running kerberos v1.8.1 and trying to run kadmin from REALM1 to
   REALM2 by:
   *kadmin -kt /etc/keytabs/admin.fqdn1.keytab -p admin/fqdn1 -r REALM2*
   but it doesn't work. The message in the console is:
   *
   kadmin: GSS-API (or Kerberos) error while initializing kadmin
   interface*
   and there is no error in the kdc/kadmin log.
   If we change "-r REALM2" by "-r REALM1", it works and we can
   administrate
   local kdc.
   Can you help us please?
   Thank you,
   Matt

     ________________________________________________
     Kerberos mailing list           [3]Kerberos at mit.edu
     [4]https://mailman.mit.edu/mailman/listinfo/kerberos

References

   1. mailto:tartarapoint at gmail.com
   2. mailto:jeremyh at optimation.com.au
   3. mailto:Kerberos at mit.edu
   4. https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list