[27970] in Kerberos
Re: kadmin: GSS-API (or Kerberos) error
daemon@ATHENA.MIT.EDU (Edward Murrell)
Thu Jun 21 00:42:18 2007
From: Edward Murrell <edward@murrell.co.nz>
To: kerberos@mit.edu
In-Reply-To: <1182399647.6563.18.camel@jyho-laptop.intra.abamon.com>
Date: Thu, 21 Jun 2007 16:41:42 +1200
Message-Id: <1182400902.6786.1.camel@entropy>
Mime-Version: 1.0
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Erm, dunno if this will help you any. This is a straight copy/paste from
my Wiki, which may only apply to my domain, but it sounds about right;
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
This occurs when kadmin is attempting to talk to the KDC with the wrong
realm. Ussually this occurs if they client's default realm differs from
the KDCs realm.
* Run kadmin with the -r REALM.EXAMPLE.COM flag.
Cheers,
~Edward
On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> Hi Guys,
>
> This is my first email to this mailing list. I've encountered some issue
> with my kerberos implementation. I've already setup my kdc and i'm able
> to kinit and klist my tickets. The only problem left is that i'm unable
> to execute kadmin in remote client. Whenever i try to do that the
> following errors popped up.
>
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
>
>
> I'm actually connecting from my client pc bar.intra.foobar.com to
> foo.intra.foobar.com(kdc)
>
> my current krb5.conf is
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = INTRA.FOOBAR.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> INTRA.FOOBAR.COM = {
> kdc = kerberos1.intra.foobar.com:88
> admin_server = kerberos1.intra.foobar.com:749
> default_domain = intra.foobar.com
> }
>
> [domain_realm]
> .intra.foobar.com = INTRA.FOOBAR.COM
> intra.foobar.com = INTRA.FOOBAR.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> *** NOTE ***
> kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
>
>
> my current kadm5.keytab is
>
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 8 kadmin/admin@INTRA.FOOBAR.COM
> 2 8 kadmin/admin@INTRA.FOOBAR.COM
> 3 4 kadmin/changepw@INTRA.FOOBAR.COM
> 4 4 kadmin/changepw@INTRA.FOOBAR.COM
> 5 3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 6 3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 7 4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 8 4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>
>
> my current info on the jyho/admin principals
>
> kadmin.local: getprinc jyho/admin
> Principal: jyho/admin@INTRA.FOOBAR.COM
> Expiration date: [never]
> Last password change: Tue Jun 12 23:07:35 MYT 2007
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Tue Jun 12 23:07:35 MYT 2007
> (root/admin@INTRA.FOOBAR.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
>
>
> my /var/log/krb5kdc.log shows
>
> Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> 1182426770, etypes {rep=16 tkt=16 ses=16},
> jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> 1182426770, etypes {rep=16 tkt=16 ses=16},
> jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>
>
>
>
> and my /var/log/kadmind.log shows
>
> Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> Request: kadm5_get_principal,
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> client=jyho/admin@INTRA.FOOBAR.COM,
> service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> addr=10.10.10.13
> Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> Request: kadm5_get_principal,
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> client=jyho/admin@INTRA.FOOBAR.COM,
> service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> addr=10.10.10.13
>
>
>
> *** NOTE ***
> Host/User : jyho
> Hostname : foo.intra.foobar.com
> Realm : INTRA.FOOBAR.COM
>
>
>
> Any Ideas on this issue guys? thanks.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
