[27256] in Kerberos
Re: Cannot initialize GSS-API authentication, failing.
daemon@ATHENA.MIT.EDU (Edward Murrell)
Wed Jan 24 21:53:41 2007
Message-ID: <45B81B92.50704@dlconsulting.com>
Date: Thu, 25 Jan 2007 15:53:06 +1300
From: Edward Murrell <edward@dlconsulting.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <45B818FC.5090308@kickflop.net>
X-SA-Exim-Mail-From: edward@dlconsulting.com
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I don't know if this exactly the error (since I'm running all MIT on
Linux here), but my Wiki showed had the following entry;
Error: kadmin: GSS-API (or Kerberos) error while initializing kadmin
interface
This occurs when kadmin is attempting to talk to the KDC with the wrong
realm. Ussually this occurs if they client's default realm differs from
the KDCs realm.
* Run kadmin with the -r REALM.EXAMPLE.COM flag.
I do remember at one point I had to run something like the following to
get things to work;
kadmin -r MYREALM.COM -s server.full.domain.com -p edward/admin@MYREALM.COM
Hope this helps! Let us know how you get on.
Regards
Edward Murrell
Jeff Blaine wrote:
> This doesn't look too promising. Any help, again, would
> be greatly appreciated.
>
> Solaris 10 6/06 release. Setting up a master KDC from scratch.
>
> ====================================================================
> See further down for spammy kadmin.local set up output that
> was generated seconds before the following:
>
> bash-3.00# svcadm enable -r network/security/krb5kdc
> bash-3.00# svcs -l krb5kdc
> fmri svc:/network/security/krb5kdc:default
> name Kerberos key distribution center
> enabled true
> state online <-------------- good
> next_state none
> state_time Wed Jan 24 21:29:00 2007
> logfile /var/svc/log/network-security-krb5kdc:default.log
> restarter svc:/system/svc/restarter:default
> contract_id 100
> dependency require_all/error svc:/network/dns/client (online)
> bash-3.00# svcadm enable -r network/security/kadmin
> bash-3.00# svcs -l kadmin
> fmri svc:/network/security/kadmin:default
> name Kerberos administration daemon
> enabled true
> state maintenance <-------------- bad
> next_state none
> state_time Wed Jan 24 21:29:19 2007
> logfile /var/svc/log/network-security-kadmin:default.log
> restarter svc:/system/svc/restarter:default
> contract_id
> dependency require_all/error svc:/network/dns/client (online)
> bash-3.00#
> ====================================================================
> bash-3.00# /usr/sbin/kadmin -p jblaine/admin
> Authenticating as principal jblaine/admin@JBTEST with password.
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> ====================================================================
> bash-3.00# kinit -p jblaine/admin
> Password for jblaine/admin@JBTEST:
> bash-3.00# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jblaine/admin@JBTEST
>
> Valid starting Expires Service principal
> 01/24/07 21:29:58 01/25/07 21:29:58 krbtgt/JBTEST@JBTEST
> renew until 01/31/07 21:29:58
> bash-3.00#
> ====================================================================
> /var/adm/kadmin.log has this useful message repeating:
>
> Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize
> GSS-API authentication, failing.
> ====================================================================
> For what it's worth, here are the set up commands I entered
> seconds BEFORE what you see in the screen pastes that start
> this email:
>
> bash-3.00# kadmin.local
> Authenticating as principal root/admin@JBTEST with password.
> kadmin.local: addprinc jblaine/admin
> WARNING: no policy specified for jblaine/admin@JBTEST; defaulting to no
> policy
> Enter password for principal "jblaine/admin@JBTEST":
> Re-enter password for principal "jblaine/admin@JBTEST":
> Principal "jblaine/admin@JBTEST" created.
> kadmin.local: addprinc -randkey kiprop/mega1.mitre.org
> WARNING: no policy specified for kiprop/mega1.mitre.org@JBTEST;
> defaulting to no policy
> Principal "kiprop/mega1.mitre.org@JBTEST" created.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
> DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
> type DES cbc mode with RSA-MD5 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
> Entry for principal kadmin/changepw with kvno 3, encryption type AES-128
> CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type Triple
> DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
> with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc
> mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> Triple DES cbc mode with HMAC/sha1 added to keytab
> WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
> DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
> kadmin.local: quit
> bash-3.00#
> ====================================================================
> I am following this document. Yeah, it's Solaris Kerberos. But
> it's MIT Kerberos too.
>
> http://docs.sun.com/app/docs/doc/816-4557/6maosrjl2?a=view
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos