kadmin not working after server migration, but kdc works

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Sep 20 17:21:38 EDT 2022

>> This is one of our worst error messages (see
>> https://krbdev.mit.edu/rt/Ticket/Display.html?id=8247 ).
>Yeah, no kidding. I actually looked at the source a while ago to try and
>figure out what was happening, but no luck; the location where the error
>message is printed has absolutely no link anymore with the location
>where the error occurs...

"Back in the day" I kept a build of MIT Kerberos with full debugging
symbols around, so I could use a debugger to trace down the source
of weird errors like this (things are much better now, but you still
run into these issues occasionally).

>        fcc-mit-ticketflags = true

This seems like a Heimdal-specific configuration entry, FWIW.

Russ already explained that this is probably a problem with your kdc.conf
file, so I'd start there.

>It might be that I haven't properly migrated it from single-DES to more
>modern enctypes; is this something I would be able to see if I looked at
>a dump of the database? If so, how would I go about that, and can I
>still fix this?

Look at the manpage for kdb5_util, specifically the "tabdump" subcommand.
You can easily get a list of encryption types for all principals.  The only
tricky principals to change the key of are the master key (see the procedure
in the MIT documentation) and the kadmin password history key (well, that is
straightforward, but you invalidate all password histories).


More information about the Kerberos mailing list