remote kadmin fails

Jeremy Hunt jeremyh at optimation.com.au
Sun Jun 26 21:05:31 EDT 2011 

Hi again,

I did a quick test, and you do need the the remote domain and its admin server defined in your kerberos conf file for kadmin to work. So the '-s' option appears to be redundant :( .

Moral, get your kerberos configuration right.

Jeremy



Jeremy Hunt wrote:
>
> Hi people (I am not too sure who I am talking to, probably Matt),
>
> I don't think what I described was cross-realm authentication. It is more like running a client program to connect to a remote server.
>
> kadmin is a client program. With my suggested arguments you are telling the kadmin program to use a kerberos domain (or realm if you prefer), and you are telling it to use a kerberos principal and a specific key table file. As a client program it will read your krb5.conf file and lookup the admin server for that realm (or domain if you prefer that term) and it will look for the named principal's key in the specified key table file. If all is correctly configured it should connect to the port kadmind is using on the remote machine, using the realm the remote machine administers and using the correct key with a matching principal name to authenticate itself.
>
> Under those conditions you could use the kadmin client program on a machine that did not otherwise have kerberos installed. I see it as using a mail client like 'seabird' to connect to a gmail.com account, most people can do that whatever internet domain they are running the mail client on.
>
> I think cross-realm authentication is a little trickier than what I describe and what I thought you were attempting. Do you need cross-realm authentication and if so why? If all you want to do is administer a remote system then I do not think it is worth the trouble. If you have to link the two realms for some reason other than you want to administer them from the same machine, then you would consider it.
>
> I hope this clarifies things,
>
> Jeremy Hunt
>
> PS: Note that in my first reply I purposefully used a different keytab file for the remote realm because I don't think there is a way to export the key into a file without generating a new version number. Without looking at the code or more simply testing I cannot guarantee that joining two keytab files with something like 'cat' will work.
>
> PPS: I also note there is a '-s' argument to the kadmin program. This defines both the remote server machine and the kadmind port. so you might not even need your configuration file set up correctly for it to work. Try it. :)
>
> tartarapoint at gmail.com wrote:
>> Hi Jeremy,
>>
>> Thank you for your answer.
>> From your point 4 ('If the entry for admin/fqdn2 is not in the keytab admin.fqdn1, then copy the keytab admin.fqdn2 to your local system'), I deduce that we can do cross realm authentication with kadmin. Is it right?
>>
>>
>> 2011/6/24 Jeremy Hunt <jeremyh at optimation.com.au <mailto:jeremyh at optimation.com.au>>
>>
>>
>>     Hi Matt or Vivien,
>>
>>     There is not enough information here, however I did notice:
>>
>>     1. REALM2 would have to be defined with its servers in your configuration files on the machine you are running kadmin on. This is so the kadmin program knows which remote system the kadmin daemon is running on and so can attempt a connection.
>>     2. If the configuration files are correct then the kadmin logs on the remote system may have some useful information. Your local machine would not be expected to log errors from a remote machine.
>>     3. I am assuming admin/fqdn1 is the administration principal in REALM1. On the remote system I would expect the administration principal for REALM2 to be admin/fqdn2.
>>     4. If the entry for admin/fqdn2 is not in the keytab admin.fqdn1, then copy the keytab admin.fqdn2 to your local system.
>>     5. If there is a authentication failure, you might find an error in the kdc logs rather than the kadmin logs.
>>
>>     So:
>>     1. Check your configuration files are set up properly, you have to define both realms in them.
>>     2. Check the kdc logs and the kadmin logs on your local and your remote masters.
>>     3. Make sure you have the correct keytab files and entries.
>>     4. Try this command after your configuration files and keytabs are correct:
>>
>>     kadmin -kt /etc/keytabs/admin.fqdn2.keytab -p admin/fqdn2 -r REALM2
>>
>>     Good Luck,
>>
>>     Jeremy
>>
>>      V wrote:
>>
>>         Hello,
>>
>>         we are running kerberos v1.8.1 and trying to run kadmin from REALM1 to
>>         REALM2 by:
>>
>>         *kadmin -kt /etc/keytabs/admin.fqdn1.keytab -p admin/fqdn1 -r REALM2*
>>
>>         but it doesn't work. The message in the console is:
>>         *
>>         kadmin: GSS-API (or Kerberos) error while initializing kadmin interface*
>>
>>         and there is no error in the kdc/kadmin log.
>>         If we change "-r REALM2" by "-r REALM1", it works and we can administrate
>>         local kdc.
>>
>>         Can you help us please?
>>
>>         Thank you,
>>
>>         Matt
>>         ________________________________________________
>>         Kerberos mailing list Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>>         https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>

More information about the Kerberos mailing list