f



kadmin: GSS-API (or Kerberos) error #2

Hi Guys,

This is my first email to this mailing list. I've encountered some issue
with my kerberos implementation. I've already setup my kdc and i'm able
to kinit and klist my tickets. The only problem left is that i'm unable
to execute kadmin in remote client. Whenever i try to do that the
following errors popped up.

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface


I'm actually connecting from my client pc bar.intra.foobar.com to
foo.intra.foobar.com(kdc)

my current krb5.conf is

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INTRA.FOOBAR.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 INTRA.FOOBAR.COM = {
  kdc = kerberos1.intra.foobar.com:88
  admin_server = kerberos1.intra.foobar.com:749
  default_domain = intra.foobar.com
 }

[domain_realm]
 .intra.foobar.com = INTRA.FOOBAR.COM
 intra.foobar.com = INTRA.FOOBAR.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

*** NOTE ***	
kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com


my current kadm5.keytab is 

slot KVNO Principal
---- ----
---------------------------------------------------------------------
   1    8            kadmin/admin@INTRA.FOOBAR.COM
   2    8            kadmin/admin@INTRA.FOOBAR.COM
   3    4         kadmin/changepw@INTRA.FOOBAR.COM
   4    4         kadmin/changepw@INTRA.FOOBAR.COM
   5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
   6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
   7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
   8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM


my current info on the jyho/admin principals

kadmin.local:  getprinc jyho/admin
Principal: jyho/admin@INTRA.FOOBAR.COM
Expiration date: [never]
Last password change: Tue Jun 12 23:07:35 MYT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Jun 12 23:07:35 MYT 2007
(root/admin@INTRA.FOOBAR.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]



my /var/log/krb5kdc.log shows

        Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
        (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
        1182426770, etypes {rep=16 tkt=16 ses=16},
        jyho/admin@INTRA.FOOBAR.COM for
        kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
        Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
        (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
        1182426770, etypes {rep=16 tkt=16 ses=16},
        jyho/admin@INTRA.FOOBAR.COM for
        kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM




and my /var/log/kadmind.log shows

        Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
        Request: kadm5_get_principal,
        kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
        client=jyho/admin@INTRA.FOOBAR.COM,
        service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
        addr=10.10.10.13
        Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
        Request: kadm5_get_principal,
        kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
        client=jyho/admin@INTRA.FOOBAR.COM,
        service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
        addr=10.10.10.13
        


*** NOTE ***
Host/User	:	jyho
Hostname	:	foo.intra.foobar.com
Realm		:	INTRA.FOOBAR.COM



Any Ideas on this issue guys? thanks.

-- 
Regards,

Anthony Ho

System Administrator



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jyho (6)
6/21/2007 4:20:47 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

8 Replies
1138 Views

Similar Articles

[PageSpeed] 43

Erm, dunno if this will help you any. This is a straight copy/paste from
my Wiki, which may only apply to my domain, but it sounds about right;

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

This occurs when kadmin is attempting to talk to the KDC with the wrong
realm. Ussually this occurs if they client's default realm differs from
the KDCs realm.

      * Run kadmin with the -r REALM.EXAMPLE.COM flag.

Cheers,
~Edward

On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> This is my first email to this mailing list. I've encountered some issue
> with my kerberos implementation. I've already setup my kdc and i'm able
> to kinit and klist my tickets. The only problem left is that i'm unable
> to execute kadmin in remote client. Whenever i try to do that the
> following errors popped up.
> 
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> 
> 
> I'm actually connecting from my client pc bar.intra.foobar.com to
> foo.intra.foobar.com(kdc)
> 
> my current krb5.conf is
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = INTRA.FOOBAR.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  INTRA.FOOBAR.COM = {
>   kdc = kerberos1.intra.foobar.com:88
>   admin_server = kerberos1.intra.foobar.com:749
>   default_domain = intra.foobar.com
>  }
> 
> [domain_realm]
>  .intra.foobar.com = INTRA.FOOBAR.COM
>  intra.foobar.com = INTRA.FOOBAR.COM
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> *** NOTE ***	
> kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> 
> 
> my current kadm5.keytab is 
> 
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    8            kadmin/admin@INTRA.FOOBAR.COM
>    2    8            kadmin/admin@INTRA.FOOBAR.COM
>    3    4         kadmin/changepw@INTRA.FOOBAR.COM
>    4    4         kadmin/changepw@INTRA.FOOBAR.COM
>    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> 
> my current info on the jyho/admin principals
> 
> kadmin.local:  getprinc jyho/admin
> Principal: jyho/admin@INTRA.FOOBAR.COM
> Expiration date: [never]
> Last password change: Tue Jun 12 23:07:35 MYT 2007
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Tue Jun 12 23:07:35 MYT 2007
> (root/admin@INTRA.FOOBAR.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
> 
> 
> 
> my /var/log/krb5kdc.log shows
> 
>         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
>         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
>         1182426770, etypes {rep=16 tkt=16 ses=16},
>         jyho/admin@INTRA.FOOBAR.COM for
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
>         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
>         1182426770, etypes {rep=16 tkt=16 ses=16},
>         jyho/admin@INTRA.FOOBAR.COM for
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> 
> 
> 
> and my /var/log/kadmind.log shows
> 
>         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
>         Request: kadm5_get_principal,
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
>         client=jyho/admin@INTRA.FOOBAR.COM,
>         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
>         addr=10.10.10.13
>         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
>         Request: kadm5_get_principal,
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
>         client=jyho/admin@INTRA.FOOBAR.COM,
>         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
>         addr=10.10.10.13
>         
> 
> 
> *** NOTE ***
> Host/User	:	jyho
> Hostname	:	foo.intra.foobar.com
> Realm		:	INTRA.FOOBAR.COM
> 
> 
> 
> Any Ideas on this issue guys? thanks.
> 

0
edward9122 (38)
6/21/2007 4:41:42 AM
Hi Guys,

I've tested the given solution but to no avail.

I did a strace on kadmin at the remote client and the following is the
output of it.

[root@bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libss.so.2", O_RDONLY)       = 3
open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
open("/lib/libcom_err.so.2", O_RDONLY)  = 3
open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
open("/lib/libresolv.so.2", O_RDONLY)   = 3
open("/lib/libdl.so.2", O_RDONLY)       = 3
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
= 3
open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
= 4
Authenticating as principal jyho/admin with password.
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
open("/etc/resolv.conf", O_RDONLY)      = 5
open("/etc/nsswitch.conf", O_RDONLY)    = 5
open("/etc/ld.so.cache", O_RDONLY)      = 5
open("/lib/libnss_files.so.2", O_RDONLY) = 5
open("/etc/host.conf", O_RDONLY)        = 5
open("/etc/hosts", O_RDONLY)            = 5
open("/etc/ld.so.cache", O_RDONLY)      = 5
open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = 5
open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
open("/etc/ld.so.cache", O_RDONLY)      = 6
open("/usr/lib/libssl3.so", O_RDONLY)   = 6
open("/usr/lib/libsmime3.so", O_RDONLY) = 6
open("/usr/lib/libnss3.so", O_RDONLY)   = 6
open("/usr/lib/libplds4.so", O_RDONLY)  = 6
open("/usr/lib/libplc4.so", O_RDONLY)   = 6
open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
open("/lib/libpthread.so.0", O_RDONLY)  = 6
open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
open("/dev/urandom", O_RDONLY)          = 5
open("/dev/urandom", O_RDONLY)          = 5
open("/etc/passwd", O_RDONLY)           = 5
open("/tmp", O_RDONLY)                  = 5
open("/var/tmp", O_RDONLY)              = 5
open("/usr/tmp", O_RDONLY)              = 5
--- SIGCHLD (Child exited) @ 0 (0) ---
open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
open("/etc/ld.so.cache", O_RDONLY)      = 7
open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
open("/usr/lib/libz.so.1", O_RDONLY)    = 7
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
open("/lib/libm.so.6", O_RDONLY)        = 7
open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
open("/etc/ld.so.cache", O_RDONLY)      = 7
open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
open("/var/run/pcscd.pub", O_RDONLY)    = 7
open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
O_APPEND, 0700) = -1 EEXIST (File exists)
open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
or directory)
open("/etc/localtime", O_RDONLY)        = 10
open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = -1 ENOENT (No such file or directory)
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
Password for jyho/admin@INTRA.FOOBAR.COM: 
open("/etc/hosts", O_RDONLY)            = 10
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Process 19676 detached
________________________________________________________________________



An during the execution of the command i did a tail
-f /var/log/krb5kdc.log and the following output appears.

Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM



Am I missing something here guys or is it something else? Help needed
guys. Thanks


On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> Erm, dunno if this will help you any. This is a straight copy/paste from
> my Wiki, which may only apply to my domain, but it sounds about right;
> 
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> 
> This occurs when kadmin is attempting to talk to the KDC with the wrong
> realm. Ussually this occurs if they client's default realm differs from
> the KDCs realm.
> 
>       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> 
> Cheers,
> ~Edward
> 
> On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > Hi Guys,
> > 
> > This is my first email to this mailing list. I've encountered some issue
> > with my kerberos implementation. I've already setup my kdc and i'm able
> > to kinit and klist my tickets. The only problem left is that i'm unable
> > to execute kadmin in remote client. Whenever i try to do that the
> > following errors popped up.
> > 
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > 
> > 
> > I'm actually connecting from my client pc bar.intra.foobar.com to
> > foo.intra.foobar.com(kdc)
> > 
> > my current krb5.conf is
> > 
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> > 
> > [libdefaults]
> >  default_realm = INTRA.FOOBAR.COM
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >  ticket_lifetime = 24h
> >  forwardable = yes
> > 
> > [realms]
> >  INTRA.FOOBAR.COM = {
> >   kdc = kerberos1.intra.foobar.com:88
> >   admin_server = kerberos1.intra.foobar.com:749
> >   default_domain = intra.foobar.com
> >  }
> > 
> > [domain_realm]
> >  .intra.foobar.com = INTRA.FOOBAR.COM
> >  intra.foobar.com = INTRA.FOOBAR.COM
> > 
> > [kdc]
> >  profile = /var/kerberos/krb5kdc/kdc.conf
> > 
> > [appdefaults]
> >  pam = {
> >    debug = false
> >    ticket_lifetime = 36000
> >    renew_lifetime = 36000
> >    forwardable = true
> >    krb4_convert = false
> >  }
> > 
> > *** NOTE ***	
> > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > 
> > 
> > my current kadm5.keytab is 
> > 
> > slot KVNO Principal
> > ---- ----
> > ---------------------------------------------------------------------
> >    1    8            kadmin/admin@INTRA.FOOBAR.COM
> >    2    8            kadmin/admin@INTRA.FOOBAR.COM
> >    3    4         kadmin/changepw@INTRA.FOOBAR.COM
> >    4    4         kadmin/changepw@INTRA.FOOBAR.COM
> >    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > 
> > my current info on the jyho/admin principals
> > 
> > kadmin.local:  getprinc jyho/admin
> > Principal: jyho/admin@INTRA.FOOBAR.COM
> > Expiration date: [never]
> > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > Password expiration date: [none]
> > Maximum ticket life: 1 day 00:00:00
> > Maximum renewable life: 0 days 00:00:00
> > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > (root/admin@INTRA.FOOBAR.COM)
> > Last successful authentication: [never]
> > Last failed authentication: [never]
> > Failed password attempts: 0
> > Number of keys: 2
> > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > Key: vno 1, DES cbc mode with CRC-32, no salt
> > Attributes:
> > Policy: [none]
> > 
> > 
> > 
> > my /var/log/krb5kdc.log shows
> > 
> >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> >         1182426770, etypes {rep=16 tkt=16 ses=16},
> >         jyho/admin@INTRA.FOOBAR.COM for
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> >         1182426770, etypes {rep=16 tkt=16 ses=16},
> >         jyho/admin@INTRA.FOOBAR.COM for
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > 
> > 
> > 
> > and my /var/log/kadmind.log shows
> > 
> >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> >         Request: kadm5_get_principal,
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> >         client=jyho/admin@INTRA.FOOBAR.COM,
> >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> >         addr=10.10.10.13
> >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> >         Request: kadm5_get_principal,
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> >         client=jyho/admin@INTRA.FOOBAR.COM,
> >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> >         addr=10.10.10.13
> >         
> > 
> > 
> > *** NOTE ***
> > Host/User	:	jyho
> > Hostname	:	foo.intra.foobar.com
> > Realm		:	INTRA.FOOBAR.COM
> > 
> > 
> > 
> > Any Ideas on this issue guys? thanks.
> > 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
-- 
Regards,

Anthony Ho

System Administrator


0
jyho (6)
6/23/2007 2:22:24 AM
Hi Guys,

I've tested the given solution but to no avail.

I did a strace on kadmin at the remote client and the following is the
output of it.

[root@bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libss.so.2", O_RDONLY)       = 3
open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
open("/lib/libcom_err.so.2", O_RDONLY)  = 3
open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
open("/lib/libresolv.so.2", O_RDONLY)   = 3
open("/lib/libdl.so.2", O_RDONLY)       = 3
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
= 3
open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
= 4
Authenticating as principal jyho/admin with password.
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
open("/etc/resolv.conf", O_RDONLY)      = 5
open("/etc/nsswitch.conf", O_RDONLY)    = 5
open("/etc/ld.so.cache", O_RDONLY)      = 5
open("/lib/libnss_files.so.2", O_RDONLY) = 5
open("/etc/host.conf", O_RDONLY)        = 5
open("/etc/hosts", O_RDONLY)            = 5
open("/etc/ld.so.cache", O_RDONLY)      = 5
open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = 5
open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
open("/etc/ld.so.cache", O_RDONLY)      = 6
open("/usr/lib/libssl3.so", O_RDONLY)   = 6
open("/usr/lib/libsmime3.so", O_RDONLY) = 6
open("/usr/lib/libnss3.so", O_RDONLY)   = 6
open("/usr/lib/libplds4.so", O_RDONLY)  = 6
open("/usr/lib/libplc4.so", O_RDONLY)   = 6
open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
open("/lib/libpthread.so.0", O_RDONLY)  = 6
open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
open("/dev/urandom", O_RDONLY)          = 5
open("/dev/urandom", O_RDONLY)          = 5
open("/etc/passwd", O_RDONLY)           = 5
open("/tmp", O_RDONLY)                  = 5
open("/var/tmp", O_RDONLY)              = 5
open("/usr/tmp", O_RDONLY)              = 5
--- SIGCHLD (Child exited) @ 0 (0) ---
open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
open("/etc/ld.so.cache", O_RDONLY)      = 7
open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
open("/usr/lib/libz.so.1", O_RDONLY)    = 7
open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
open("/lib/libm.so.6", O_RDONLY)        = 7
open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
open("/etc/ld.so.cache", O_RDONLY)      = 7
open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
open("/var/run/pcscd.pub", O_RDONLY)    = 7
open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
O_APPEND, 0700) = -1 EEXIST (File exists)
open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
or directory)
open("/etc/localtime", O_RDONLY)        = 10
open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
O_DIRECTORY) = -1 ENOENT (No such file or directory)
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
open("/etc/hosts", O_RDONLY)            = 10
Password for jyho/admin@INTRA.FOOBAR.COM: 
open("/etc/hosts", O_RDONLY)            = 10
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Process 19676 detached
________________________________________________________________________



An during the execution of the command i did a tail
-f /var/log/krb5kdc.log and the following output appears.

Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM

Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM



Am I missing something here guys or is it something else? Help needed
guys. Thanks


On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> Erm, dunno if this will help you any. This is a straight copy/paste from
> my Wiki, which may only apply to my domain, but it sounds about right;
> 
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> 
> This occurs when kadmin is attempting to talk to the KDC with the wrong
> realm. Ussually this occurs if they client's default realm differs from
> the KDCs realm.
> 
>       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> 
> Cheers,
> ~Edward
> 
> On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > Hi Guys,
> > 
> > This is my first email to this mailing list. I've encountered some issue
> > with my kerberos implementation. I've already setup my kdc and i'm able
> > to kinit and klist my tickets. The only problem left is that i'm unable
> > to execute kadmin in remote client. Whenever i try to do that the
> > following errors popped up.
> > 
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > 
> > 
> > I'm actually connecting from my client pc bar.intra.foobar.com to
> > foo.intra.foobar.com(kdc)
> > 
> > my current krb5.conf is
> > 
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> > 
> > [libdefaults]
> >  default_realm = INTRA.FOOBAR.COM
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >  ticket_lifetime = 24h
> >  forwardable = yes
> > 
> > [realms]
> >  INTRA.FOOBAR.COM = {
> >   kdc = kerberos1.intra.foobar.com:88
> >   admin_server = kerberos1.intra.foobar.com:749
> >   default_domain = intra.foobar.com
> >  }
> > 
> > [domain_realm]
> >  .intra.foobar.com = INTRA.FOOBAR.COM
> >  intra.foobar.com = INTRA.FOOBAR.COM
> > 
> > [kdc]
> >  profile = /var/kerberos/krb5kdc/kdc.conf
> > 
> > [appdefaults]
> >  pam = {
> >    debug = false
> >    ticket_lifetime = 36000
> >    renew_lifetime = 36000
> >    forwardable = true
> >    krb4_convert = false
> >  }
> > 
> > *** NOTE ***	
> > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > 
> > 
> > my current kadm5.keytab is 
> > 
> > slot KVNO Principal
> > ---- ----
> > ---------------------------------------------------------------------
> >    1    8            kadmin/admin@INTRA.FOOBAR.COM
> >    2    8            kadmin/admin@INTRA.FOOBAR.COM
> >    3    4         kadmin/changepw@INTRA.FOOBAR.COM
> >    4    4         kadmin/changepw@INTRA.FOOBAR.COM
> >    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > 
> > my current info on the jyho/admin principals
> > 
> > kadmin.local:  getprinc jyho/admin
> > Principal: jyho/admin@INTRA.FOOBAR.COM
> > Expiration date: [never]
> > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > Password expiration date: [none]
> > Maximum ticket life: 1 day 00:00:00
> > Maximum renewable life: 0 days 00:00:00
> > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > (root/admin@INTRA.FOOBAR.COM)
> > Last successful authentication: [never]
> > Last failed authentication: [never]
> > Failed password attempts: 0
> > Number of keys: 2
> > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > Key: vno 1, DES cbc mode with CRC-32, no salt
> > Attributes:
> > Policy: [none]
> > 
> > 
> > 
> > my /var/log/krb5kdc.log shows
> > 
> >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> >         1182426770, etypes {rep=16 tkt=16 ses=16},
> >         jyho/admin@INTRA.FOOBAR.COM for
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> >         1182426770, etypes {rep=16 tkt=16 ses=16},
> >         jyho/admin@INTRA.FOOBAR.COM for
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > 
> > 
> > 
> > and my /var/log/kadmind.log shows
> > 
> >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> >         Request: kadm5_get_principal,
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> >         client=jyho/admin@INTRA.FOOBAR.COM,
> >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> >         addr=10.10.10.13
> >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> >         Request: kadm5_get_principal,
> >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> >         client=jyho/admin@INTRA.FOOBAR.COM,
> >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> >         addr=10.10.10.13
> >         
> > 
> > 
> > *** NOTE ***
> > Host/User	:	jyho
> > Hostname	:	foo.intra.foobar.com
> > Realm		:	INTRA.FOOBAR.COM
> > 
> > 
> > 
> > Any Ideas on this issue guys? thanks.
> > 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
-- 
Regards,

Anthony Ho

System Administrator


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jyho (6)
6/23/2007 2:22:24 AM
Hi Guys,

Anyone got better ideas of solving this problem. I've been stuck to this
for quite some time now. 

One questions guys, is it important to use kadmin on remote machine?

As far as i know to add remote machine we must login to each machine and
do a kadmin to it in order to add them into the kdc's machine database.
Is that true? Correct me if im wrong. 

On Sat, 2007-06-23 at 10:22 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> I've tested the given solution but to no avail.
> 
> I did a strace on kadmin at the remote client and the following is the
> output of it.
> 
> [root@bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libss.so.2", O_RDONLY)       = 3
> open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
> open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
> open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
> open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> open("/lib/libresolv.so.2", O_RDONLY)   = 3
> open("/lib/libdl.so.2", O_RDONLY)       = 3
> open("/lib/libc.so.6", O_RDONLY)        = 3
> open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
> open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
> open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> = 3
> open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> = 4
> Authenticating as principal jyho/admin with password.
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
> open("/etc/resolv.conf", O_RDONLY)      = 5
> open("/etc/nsswitch.conf", O_RDONLY)    = 5
> open("/etc/ld.so.cache", O_RDONLY)      = 5
> open("/lib/libnss_files.so.2", O_RDONLY) = 5
> open("/etc/host.conf", O_RDONLY)        = 5
> open("/etc/hosts", O_RDONLY)            = 5
> open("/etc/ld.so.cache", O_RDONLY)      = 5
> open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
> open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> O_DIRECTORY) = 5
> open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
> open("/etc/ld.so.cache", O_RDONLY)      = 6
> open("/usr/lib/libssl3.so", O_RDONLY)   = 6
> open("/usr/lib/libsmime3.so", O_RDONLY) = 6
> open("/usr/lib/libnss3.so", O_RDONLY)   = 6
> open("/usr/lib/libplds4.so", O_RDONLY)  = 6
> open("/usr/lib/libplc4.so", O_RDONLY)   = 6
> open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
> open("/lib/libpthread.so.0", O_RDONLY)  = 6
> open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
> open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
> open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
> open("/dev/urandom", O_RDONLY)          = 5
> open("/dev/urandom", O_RDONLY)          = 5
> open("/etc/passwd", O_RDONLY)           = 5
> open("/tmp", O_RDONLY)                  = 5
> open("/var/tmp", O_RDONLY)              = 5
> open("/usr/tmp", O_RDONLY)              = 5
> --- SIGCHLD (Child exited) @ 0 (0) ---
> open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
> open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
> open("/etc/ld.so.cache", O_RDONLY)      = 7
> open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
> open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
> open("/usr/lib/libz.so.1", O_RDONLY)    = 7
> open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
> open("/lib/libm.so.6", O_RDONLY)        = 7
> open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
> open("/etc/ld.so.cache", O_RDONLY)      = 7
> open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
> open("/var/run/pcscd.pub", O_RDONLY)    = 7
> open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
> O_APPEND, 0700) = -1 EEXIST (File exists)
> open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
> open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
> or directory)
> open("/etc/localtime", O_RDONLY)        = 10
> open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> O_DIRECTORY) = -1 ENOENT (No such file or directory)
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> Password for jyho/admin@INTRA.FOOBAR.COM: 
> open("/etc/hosts", O_RDONLY)            = 10
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> Process 19676 detached
> ________________________________________________________________________
> 
> 
> 
> An during the execution of the command i did a tail
> -f /var/log/krb5kdc.log and the following output appears.
> 
> Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> 
> 
> Am I missing something here guys or is it something else? Help needed
> guys. Thanks
> 
> 
> On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> > Erm, dunno if this will help you any. This is a straight copy/paste from
> > my Wiki, which may only apply to my domain, but it sounds about right;
> > 
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > 
> > This occurs when kadmin is attempting to talk to the KDC with the wrong
> > realm. Ussually this occurs if they client's default realm differs from
> > the KDCs realm.
> > 
> >       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> > 
> > Cheers,
> > ~Edward
> > 
> > On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > > Hi Guys,
> > > 
> > > This is my first email to this mailing list. I've encountered some issue
> > > with my kerberos implementation. I've already setup my kdc and i'm able
> > > to kinit and klist my tickets. The only problem left is that i'm unable
> > > to execute kadmin in remote client. Whenever i try to do that the
> > > following errors popped up.
> > > 
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > 
> > > 
> > > I'm actually connecting from my client pc bar.intra.foobar.com to
> > > foo.intra.foobar.com(kdc)
> > > 
> > > my current krb5.conf is
> > > 
> > > [logging]
> > >  default = FILE:/var/log/krb5libs.log
> > >  kdc = FILE:/var/log/krb5kdc.log
> > >  admin_server = FILE:/var/log/kadmind.log
> > > 
> > > [libdefaults]
> > >  default_realm = INTRA.FOOBAR.COM
> > >  dns_lookup_realm = false
> > >  dns_lookup_kdc = false
> > >  ticket_lifetime = 24h
> > >  forwardable = yes
> > > 
> > > [realms]
> > >  INTRA.FOOBAR.COM = {
> > >   kdc = kerberos1.intra.foobar.com:88
> > >   admin_server = kerberos1.intra.foobar.com:749
> > >   default_domain = intra.foobar.com
> > >  }
> > > 
> > > [domain_realm]
> > >  .intra.foobar.com = INTRA.FOOBAR.COM
> > >  intra.foobar.com = INTRA.FOOBAR.COM
> > > 
> > > [kdc]
> > >  profile = /var/kerberos/krb5kdc/kdc.conf
> > > 
> > > [appdefaults]
> > >  pam = {
> > >    debug = false
> > >    ticket_lifetime = 36000
> > >    renew_lifetime = 36000
> > >    forwardable = true
> > >    krb4_convert = false
> > >  }
> > > 
> > > *** NOTE ***	
> > > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > > 
> > > 
> > > my current kadm5.keytab is 
> > > 
> > > slot KVNO Principal
> > > ---- ----
> > > ---------------------------------------------------------------------
> > >    1    8            kadmin/admin@INTRA.FOOBAR.COM
> > >    2    8            kadmin/admin@INTRA.FOOBAR.COM
> > >    3    4         kadmin/changepw@INTRA.FOOBAR.COM
> > >    4    4         kadmin/changepw@INTRA.FOOBAR.COM
> > >    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > 
> > > 
> > > my current info on the jyho/admin principals
> > > 
> > > kadmin.local:  getprinc jyho/admin
> > > Principal: jyho/admin@INTRA.FOOBAR.COM
> > > Expiration date: [never]
> > > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > > Password expiration date: [none]
> > > Maximum ticket life: 1 day 00:00:00
> > > Maximum renewable life: 0 days 00:00:00
> > > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > > (root/admin@INTRA.FOOBAR.COM)
> > > Last successful authentication: [never]
> > > Last failed authentication: [never]
> > > Failed password attempts: 0
> > > Number of keys: 2
> > > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > > Key: vno 1, DES cbc mode with CRC-32, no salt
> > > Attributes:
> > > Policy: [none]
> > > 
> > > 
> > > 
> > > my /var/log/krb5kdc.log shows
> > > 
> > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > >         jyho/admin@INTRA.FOOBAR.COM for
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > >         jyho/admin@INTRA.FOOBAR.COM for
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > 
> > > 
> > > 
> > > 
> > > and my /var/log/kadmind.log shows
> > > 
> > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > >         Request: kadm5_get_principal,
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > >         addr=10.10.10.13
> > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > >         Request: kadm5_get_principal,
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > >         addr=10.10.10.13
> > >         
> > > 
> > > 
> > > *** NOTE ***
> > > Host/User	:	jyho
> > > Hostname	:	foo.intra.foobar.com
> > > Realm		:	INTRA.FOOBAR.COM
> > > 
> > > 
> > > 
> > > Any Ideas on this issue guys? thanks.
> > > 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
-- 
Regards,

Anthony Ho

System Administrator

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jyho (6)
6/26/2007 1:31:41 AM
Hi Guys,

Anyone got better ideas of solving this problem. I've been stuck to this
for quite some time now. 

One questions guys, is it important to use kadmin on remote machine?

As far as i know to add remote machine we must login to each machine and
do a kadmin to it in order to add them into the kdc's machine database.
Is that true? Correct me if im wrong. 

On Sat, 2007-06-23 at 10:22 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> I've tested the given solution but to no avail.
> 
> I did a strace on kadmin at the remote client and the following is the
> output of it.
> 
> [root@bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libss.so.2", O_RDONLY)       = 3
> open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
> open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
> open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
> open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> open("/lib/libresolv.so.2", O_RDONLY)   = 3
> open("/lib/libdl.so.2", O_RDONLY)       = 3
> open("/lib/libc.so.6", O_RDONLY)        = 3
> open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
> open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
> open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> = 3
> open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> = 4
> Authenticating as principal jyho/admin with password.
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
> open("/etc/resolv.conf", O_RDONLY)      = 5
> open("/etc/nsswitch.conf", O_RDONLY)    = 5
> open("/etc/ld.so.cache", O_RDONLY)      = 5
> open("/lib/libnss_files.so.2", O_RDONLY) = 5
> open("/etc/host.conf", O_RDONLY)        = 5
> open("/etc/hosts", O_RDONLY)            = 5
> open("/etc/ld.so.cache", O_RDONLY)      = 5
> open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
> open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> O_DIRECTORY) = 5
> open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
> open("/etc/ld.so.cache", O_RDONLY)      = 6
> open("/usr/lib/libssl3.so", O_RDONLY)   = 6
> open("/usr/lib/libsmime3.so", O_RDONLY) = 6
> open("/usr/lib/libnss3.so", O_RDONLY)   = 6
> open("/usr/lib/libplds4.so", O_RDONLY)  = 6
> open("/usr/lib/libplc4.so", O_RDONLY)   = 6
> open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
> open("/lib/libpthread.so.0", O_RDONLY)  = 6
> open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
> open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
> open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
> open("/dev/urandom", O_RDONLY)          = 5
> open("/dev/urandom", O_RDONLY)          = 5
> open("/etc/passwd", O_RDONLY)           = 5
> open("/tmp", O_RDONLY)                  = 5
> open("/var/tmp", O_RDONLY)              = 5
> open("/usr/tmp", O_RDONLY)              = 5
> --- SIGCHLD (Child exited) @ 0 (0) ---
> open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
> open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
> open("/etc/ld.so.cache", O_RDONLY)      = 7
> open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
> open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
> open("/usr/lib/libz.so.1", O_RDONLY)    = 7
> open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
> open("/lib/libm.so.6", O_RDONLY)        = 7
> open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
> open("/etc/ld.so.cache", O_RDONLY)      = 7
> open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
> open("/var/run/pcscd.pub", O_RDONLY)    = 7
> open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
> O_APPEND, 0700) = -1 EEXIST (File exists)
> open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
> open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
> or directory)
> open("/etc/localtime", O_RDONLY)        = 10
> open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> O_DIRECTORY) = -1 ENOENT (No such file or directory)
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> open("/etc/hosts", O_RDONLY)            = 10
> Password for jyho/admin@INTRA.FOOBAR.COM: 
> open("/etc/hosts", O_RDONLY)            = 10
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> Process 19676 detached
> ________________________________________________________________________
> 
> 
> 
> An during the execution of the command i did a tail
> -f /var/log/krb5kdc.log and the following output appears.
> 
> Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> 
> 
> 
> Am I missing something here guys or is it something else? Help needed
> guys. Thanks
> 
> 
> On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> > Erm, dunno if this will help you any. This is a straight copy/paste from
> > my Wiki, which may only apply to my domain, but it sounds about right;
> > 
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > 
> > This occurs when kadmin is attempting to talk to the KDC with the wrong
> > realm. Ussually this occurs if they client's default realm differs from
> > the KDCs realm.
> > 
> >       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> > 
> > Cheers,
> > ~Edward
> > 
> > On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > > Hi Guys,
> > > 
> > > This is my first email to this mailing list. I've encountered some issue
> > > with my kerberos implementation. I've already setup my kdc and i'm able
> > > to kinit and klist my tickets. The only problem left is that i'm unable
> > > to execute kadmin in remote client. Whenever i try to do that the
> > > following errors popped up.
> > > 
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > 
> > > 
> > > I'm actually connecting from my client pc bar.intra.foobar.com to
> > > foo.intra.foobar.com(kdc)
> > > 
> > > my current krb5.conf is
> > > 
> > > [logging]
> > >  default = FILE:/var/log/krb5libs.log
> > >  kdc = FILE:/var/log/krb5kdc.log
> > >  admin_server = FILE:/var/log/kadmind.log
> > > 
> > > [libdefaults]
> > >  default_realm = INTRA.FOOBAR.COM
> > >  dns_lookup_realm = false
> > >  dns_lookup_kdc = false
> > >  ticket_lifetime = 24h
> > >  forwardable = yes
> > > 
> > > [realms]
> > >  INTRA.FOOBAR.COM = {
> > >   kdc = kerberos1.intra.foobar.com:88
> > >   admin_server = kerberos1.intra.foobar.com:749
> > >   default_domain = intra.foobar.com
> > >  }
> > > 
> > > [domain_realm]
> > >  .intra.foobar.com = INTRA.FOOBAR.COM
> > >  intra.foobar.com = INTRA.FOOBAR.COM
> > > 
> > > [kdc]
> > >  profile = /var/kerberos/krb5kdc/kdc.conf
> > > 
> > > [appdefaults]
> > >  pam = {
> > >    debug = false
> > >    ticket_lifetime = 36000
> > >    renew_lifetime = 36000
> > >    forwardable = true
> > >    krb4_convert = false
> > >  }
> > > 
> > > *** NOTE ***	
> > > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > > 
> > > 
> > > my current kadm5.keytab is 
> > > 
> > > slot KVNO Principal
> > > ---- ----
> > > ---------------------------------------------------------------------
> > >    1    8            kadmin/admin@INTRA.FOOBAR.COM
> > >    2    8            kadmin/admin@INTRA.FOOBAR.COM
> > >    3    4         kadmin/changepw@INTRA.FOOBAR.COM
> > >    4    4         kadmin/changepw@INTRA.FOOBAR.COM
> > >    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > 
> > > 
> > > my current info on the jyho/admin principals
> > > 
> > > kadmin.local:  getprinc jyho/admin
> > > Principal: jyho/admin@INTRA.FOOBAR.COM
> > > Expiration date: [never]
> > > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > > Password expiration date: [none]
> > > Maximum ticket life: 1 day 00:00:00
> > > Maximum renewable life: 0 days 00:00:00
> > > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > > (root/admin@INTRA.FOOBAR.COM)
> > > Last successful authentication: [never]
> > > Last failed authentication: [never]
> > > Failed password attempts: 0
> > > Number of keys: 2
> > > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > > Key: vno 1, DES cbc mode with CRC-32, no salt
> > > Attributes:
> > > Policy: [none]
> > > 
> > > 
> > > 
> > > my /var/log/krb5kdc.log shows
> > > 
> > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > >         jyho/admin@INTRA.FOOBAR.COM for
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > >         jyho/admin@INTRA.FOOBAR.COM for
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > 
> > > 
> > > 
> > > 
> > > and my /var/log/kadmind.log shows
> > > 
> > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > >         Request: kadm5_get_principal,
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > >         addr=10.10.10.13
> > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > >         Request: kadm5_get_principal,
> > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > >         addr=10.10.10.13
> > >         
> > > 
> > > 
> > > *** NOTE ***
> > > Host/User	:	jyho
> > > Hostname	:	foo.intra.foobar.com
> > > Realm		:	INTRA.FOOBAR.COM
> > > 
> > > 
> > > 
> > > Any Ideas on this issue guys? thanks.
> > > 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
-- 
Regards,

Anthony Ho

System Administrator

0
jyho (6)
6/26/2007 1:31:41 AM
Hi Anthony,

Unfortunately, I don't have access to the a working Kerberos environment
where I first came across the error, so going from memory - try
specifying everything, eg;

kadmin -p jyho/admin@INTRA.FOOBAR.COM -s foo.intra.foobar.com \
-r INTRA.FOOBAR.COM

Hm, actually, looking at the previous example, you may just need to add
the @INTRA.FOOBAR.COM to the -p argument.

For the second question, it's entirely possibly to generate keys for one
machine on another and then copy them (using a secure method!) via
something like scp to another machine. The trick is simply to use the -k
argument in kadmin, like so;

ktadd -k /home/jyho/bar.keytab host/bar.intra.foobar.com

These days, I've got a very simple Kerberos setup, so I can't really
shed much light I'm afraid...

Cheers,
~Edward Murrell

On Tue, 2007-06-26 at 09:31 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> Anyone got better ideas of solving this problem. I've been stuck to this
> for quite some time now. 
> 
> One questions guys, is it important to use kadmin on remote machine?
> 
> As far as i know to add remote machine we must login to each machine and
> do a kadmin to it in order to add them into the kdc's machine database.
> Is that true? Correct me if im wrong. 
> 
> On Sat, 2007-06-23 at 10:22 +0800, Anthony Ho wrote:
> > Hi Guys,
> > 
> > I've tested the given solution but to no avail.
> > 
> > I did a strace on kadmin at the remote client and the following is the
> > output of it.
> > 
> > [root@bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
> > open("/etc/ld.so.cache", O_RDONLY)      = 3
> > open("/lib/libss.so.2", O_RDONLY)       = 3
> > open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
> > open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
> > open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
> > open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> > open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> > open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> > open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> > open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> > open("/lib/libresolv.so.2", O_RDONLY)   = 3
> > open("/lib/libdl.so.2", O_RDONLY)       = 3
> > open("/lib/libc.so.6", O_RDONLY)        = 3
> > open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
> > open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
> > open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> > = 3
> > open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> > = 4
> > Authenticating as principal jyho/admin with password.
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
> > open("/etc/resolv.conf", O_RDONLY)      = 5
> > open("/etc/nsswitch.conf", O_RDONLY)    = 5
> > open("/etc/ld.so.cache", O_RDONLY)      = 5
> > open("/lib/libnss_files.so.2", O_RDONLY) = 5
> > open("/etc/host.conf", O_RDONLY)        = 5
> > open("/etc/hosts", O_RDONLY)            = 5
> > open("/etc/ld.so.cache", O_RDONLY)      = 5
> > open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
> > open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> > O_DIRECTORY) = 5
> > open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)      = 6
> > open("/usr/lib/libssl3.so", O_RDONLY)   = 6
> > open("/usr/lib/libsmime3.so", O_RDONLY) = 6
> > open("/usr/lib/libnss3.so", O_RDONLY)   = 6
> > open("/usr/lib/libplds4.so", O_RDONLY)  = 6
> > open("/usr/lib/libplc4.so", O_RDONLY)   = 6
> > open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
> > open("/lib/libpthread.so.0", O_RDONLY)  = 6
> > open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
> > open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
> > open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
> > open("/dev/urandom", O_RDONLY)          = 5
> > open("/dev/urandom", O_RDONLY)          = 5
> > open("/etc/passwd", O_RDONLY)           = 5
> > open("/tmp", O_RDONLY)                  = 5
> > open("/var/tmp", O_RDONLY)              = 5
> > open("/usr/tmp", O_RDONLY)              = 5
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
> > open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)      = 7
> > open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
> > open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
> > open("/usr/lib/libz.so.1", O_RDONLY)    = 7
> > open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
> > open("/lib/libm.so.6", O_RDONLY)        = 7
> > open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
> > open("/etc/ld.so.cache", O_RDONLY)      = 7
> > open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
> > open("/var/run/pcscd.pub", O_RDONLY)    = 7
> > open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
> > O_APPEND, 0700) = -1 EEXIST (File exists)
> > open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
> > open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
> > or directory)
> > open("/etc/localtime", O_RDONLY)        = 10
> > open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> > O_DIRECTORY) = -1 ENOENT (No such file or directory)
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > Password for jyho/admin@INTRA.FOOBAR.COM: 
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > Process 19676 detached
> > ________________________________________________________________________
> > 
> > 
> > 
> > An during the execution of the command i did a tail
> > -f /var/log/krb5kdc.log and the following output appears.
> > 
> > Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > 
> > 
> > Am I missing something here guys or is it something else? Help needed
> > guys. Thanks
> > 
> > 
> > On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> > > Erm, dunno if this will help you any. This is a straight copy/paste from
> > > my Wiki, which may only apply to my domain, but it sounds about right;
> > > 
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > 
> > > This occurs when kadmin is attempting to talk to the KDC with the wrong
> > > realm. Ussually this occurs if they client's default realm differs from
> > > the KDCs realm.
> > > 
> > >       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> > > 
> > > Cheers,
> > > ~Edward
> > > 
> > > On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > > > Hi Guys,
> > > > 
> > > > This is my first email to this mailing list. I've encountered some issue
> > > > with my kerberos implementation. I've already setup my kdc and i'm able
> > > > to kinit and klist my tickets. The only problem left is that i'm unable
> > > > to execute kadmin in remote client. Whenever i try to do that the
> > > > following errors popped up.
> > > > 
> > > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > > 
> > > > 
> > > > I'm actually connecting from my client pc bar.intra.foobar.com to
> > > > foo.intra.foobar.com(kdc)
> > > > 
> > > > my current krb5.conf is
> > > > 
> > > > [logging]
> > > >  default = FILE:/var/log/krb5libs.log
> > > >  kdc = FILE:/var/log/krb5kdc.log
> > > >  admin_server = FILE:/var/log/kadmind.log
> > > > 
> > > > [libdefaults]
> > > >  default_realm = INTRA.FOOBAR.COM
> > > >  dns_lookup_realm = false
> > > >  dns_lookup_kdc = false
> > > >  ticket_lifetime = 24h
> > > >  forwardable = yes
> > > > 
> > > > [realms]
> > > >  INTRA.FOOBAR.COM = {
> > > >   kdc = kerberos1.intra.foobar.com:88
> > > >   admin_server = kerberos1.intra.foobar.com:749
> > > >   default_domain = intra.foobar.com
> > > >  }
> > > > 
> > > > [domain_realm]
> > > >  .intra.foobar.com = INTRA.FOOBAR.COM
> > > >  intra.foobar.com = INTRA.FOOBAR.COM
> > > > 
> > > > [kdc]
> > > >  profile = /var/kerberos/krb5kdc/kdc.conf
> > > > 
> > > > [appdefaults]
> > > >  pam = {
> > > >    debug = false
> > > >    ticket_lifetime = 36000
> > > >    renew_lifetime = 36000
> > > >    forwardable = true
> > > >    krb4_convert = false
> > > >  }
> > > > 
> > > > *** NOTE ***	
> > > > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > > > 
> > > > 
> > > > my current kadm5.keytab is 
> > > > 
> > > > slot KVNO Principal
> > > > ---- ----
> > > > ---------------------------------------------------------------------
> > > >    1    8            kadmin/admin@INTRA.FOOBAR.COM
> > > >    2    8            kadmin/admin@INTRA.FOOBAR.COM
> > > >    3    4         kadmin/changepw@INTRA.FOOBAR.COM
> > > >    4    4         kadmin/changepw@INTRA.FOOBAR.COM
> > > >    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > my current info on the jyho/admin principals
> > > > 
> > > > kadmin.local:  getprinc jyho/admin
> > > > Principal: jyho/admin@INTRA.FOOBAR.COM
> > > > Expiration date: [never]
> > > > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > > > Password expiration date: [none]
> > > > Maximum ticket life: 1 day 00:00:00
> > > > Maximum renewable life: 0 days 00:00:00
> > > > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > > > (root/admin@INTRA.FOOBAR.COM)
> > > > Last successful authentication: [never]
> > > > Last failed authentication: [never]
> > > > Failed password attempts: 0
> > > > Number of keys: 2
> > > > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > > > Key: vno 1, DES cbc mode with CRC-32, no salt
> > > > Attributes:
> > > > Policy: [none]
> > > > 
> > > > 
> > > > 
> > > > my /var/log/krb5kdc.log shows
> > > > 
> > > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > > >         jyho/admin@INTRA.FOOBAR.COM for
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > > >         jyho/admin@INTRA.FOOBAR.COM for
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > 
> > > > 
> > > > and my /var/log/kadmind.log shows
> > > > 
> > > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > > >         Request: kadm5_get_principal,
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > > >         addr=10.10.10.13
> > > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > > >         Request: kadm5_get_principal,
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > > >         addr=10.10.10.13
> > > >         
> > > > 
> > > > 
> > > > *** NOTE ***
> > > > Host/User	:	jyho
> > > > Hostname	:	foo.intra.foobar.com
> > > > Realm		:	INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > 
> > > > Any Ideas on this issue guys? thanks.
> > > > 
> > > 
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > 

0
edward9122 (38)
6/26/2007 2:06:16 AM
Hi Anthony,

Unfortunately, I don't have access to the a working Kerberos environment
where I first came across the error, so going from memory - try
specifying everything, eg;

kadmin -p jyho/admin@INTRA.FOOBAR.COM -s foo.intra.foobar.com \
-r INTRA.FOOBAR.COM

Hm, actually, looking at the previous example, you may just need to add
the @INTRA.FOOBAR.COM to the -p argument.

For the second question, it's entirely possibly to generate keys for one
machine on another and then copy them (using a secure method!) via
something like scp to another machine. The trick is simply to use the -k
argument in kadmin, like so;

ktadd -k /home/jyho/bar.keytab host/bar.intra.foobar.com

These days, I've got a very simple Kerberos setup, so I can't really
shed much light I'm afraid...

Cheers,
~Edward Murrell

On Tue, 2007-06-26 at 09:31 +0800, Anthony Ho wrote:
> Hi Guys,
> 
> Anyone got better ideas of solving this problem. I've been stuck to this
> for quite some time now. 
> 
> One questions guys, is it important to use kadmin on remote machine?
> 
> As far as i know to add remote machine we must login to each machine and
> do a kadmin to it in order to add them into the kdc's machine database.
> Is that true? Correct me if im wrong. 
> 
> On Sat, 2007-06-23 at 10:22 +0800, Anthony Ho wrote:
> > Hi Guys,
> > 
> > I've tested the given solution but to no avail.
> > 
> > I did a strace on kadmin at the remote client and the following is the
> > output of it.
> > 
> > [root@bar ~]# strace -eopen kadmin -p jyho/admin -r INTRA.FOOBAR.COM
> > open("/etc/ld.so.cache", O_RDONLY)      = 3
> > open("/lib/libss.so.2", O_RDONLY)       = 3
> > open("/usr/lib/libncurses.so.5", O_RDONLY) = 3
> > open("/usr/lib/libkadm5clnt.so.5", O_RDONLY) = 3
> > open("/usr/lib/libgssrpc.so.4", O_RDONLY) = 3
> > open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> > open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> > open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> > open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> > open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> > open("/lib/libresolv.so.2", O_RDONLY)   = 3
> > open("/lib/libdl.so.2", O_RDONLY)       = 3
> > open("/lib/libc.so.6", O_RDONLY)        = 3
> > open("/var/kerberos/krb5kdc/kdc.conf", O_RDONLY|O_LARGEFILE) = 3
> > open("/etc/krb5.conf", O_RDONLY|O_LARGEFILE) = 3
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 3
> > open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> > = 3
> > open("/var/log/kadmind.log", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666)
> > = 4
> > Authenticating as principal jyho/admin with password.
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 5
> > open("/etc/resolv.conf", O_RDONLY)      = 5
> > open("/etc/nsswitch.conf", O_RDONLY)    = 5
> > open("/etc/ld.so.cache", O_RDONLY)      = 5
> > open("/lib/libnss_files.so.2", O_RDONLY) = 5
> > open("/etc/host.conf", O_RDONLY)        = 5
> > open("/etc/hosts", O_RDONLY)            = 5
> > open("/etc/ld.so.cache", O_RDONLY)      = 5
> > open("/lib/libnss_dns.so.2", O_RDONLY)  = 5
> > open("/usr/lib/krb5/plugins/preauth", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> > O_DIRECTORY) = 5
> > open("/usr/lib/krb5/plugins/preauth/pkinit.so", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)      = 6
> > open("/usr/lib/libssl3.so", O_RDONLY)   = 6
> > open("/usr/lib/libsmime3.so", O_RDONLY) = 6
> > open("/usr/lib/libnss3.so", O_RDONLY)   = 6
> > open("/usr/lib/libplds4.so", O_RDONLY)  = 6
> > open("/usr/lib/libplc4.so", O_RDONLY)   = 6
> > open("/usr/lib/libnspr4.so", O_RDONLY)  = 6
> > open("/lib/libpthread.so.0", O_RDONLY)  = 6
> > open("/usr/lib/libsoftokn3.so", O_RDONLY) = 6
> > open("/etc/pki/nssdb/secmod.db", O_RDONLY) = 5
> > open("/usr/lib/libfreebl3.so", O_RDONLY) = 5
> > open("/dev/urandom", O_RDONLY)          = 5
> > open("/dev/urandom", O_RDONLY)          = 5
> > open("/etc/passwd", O_RDONLY)           = 5
> > open("/tmp", O_RDONLY)                  = 5
> > open("/var/tmp", O_RDONLY)              = 5
> > open("/usr/tmp", O_RDONLY)              = 5
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > open("/etc/pki/nssdb/cert8.db", O_RDONLY) = 5
> > open("/etc/pki/nssdb/key3.db", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)      = 7
> > open("/usr/lib/libcoolkeypk11.so", O_RDONLY) = 7
> > open("/usr/lib/libckyapplet.so.1", O_RDONLY) = 7
> > open("/usr/lib/libz.so.1", O_RDONLY)    = 7
> > open("/usr/lib/libstdc++.so.6", O_RDONLY) = 7
> > open("/lib/libm.so.6", O_RDONLY)        = 7
> > open("/lib/libgcc_s.so.1", O_RDONLY)    = 7
> > open("/etc/ld.so.cache", O_RDONLY)      = 7
> > open("/usr/lib/libpcsclite.so.1", O_RDONLY) = 7
> > open("/var/run/pcscd.pub", O_RDONLY)    = 7
> > open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR|O_CREAT|O_EXCL|
> > O_APPEND, 0700) = -1 EEXIST (File exists)
> > open("/tmp/.pk11ipc1/coolkeypk11sE-Gate 0 0-0", O_RDWR) = 9
> > open("/etc/pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT (No such file
> > or directory)
> > open("/etc/localtime", O_RDONLY)        = 10
> > open("/usr/lib/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_LARGEFILE|
> > O_DIRECTORY) = -1 ENOENT (No such file or directory)
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/etc/hosts", O_RDONLY)            = 10
> > Password for jyho/admin@INTRA.FOOBAR.COM: 
> > open("/etc/hosts", O_RDONLY)            = 10
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 11
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > Process 19676 detached
> > ________________________________________________________________________
> > 
> > 
> > 
> > An during the execution of the command i did a tail
> > -f /var/log/krb5kdc.log and the following output appears.
> > 
> > Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:20:35 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594035,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:15 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594075,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > Jun 23 18:21:30 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime 1182594090,
> > etypes {rep=16 tkt=16 ses=16}, jyho/admin@INTRA.FOOBAR.COM for
> > kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > 
> > 
> > 
> > Am I missing something here guys or is it something else? Help needed
> > guys. Thanks
> > 
> > 
> > On Thu, 2007-06-21 at 16:41 +1200, Edward Murrell wrote:
> > > Erm, dunno if this will help you any. This is a straight copy/paste from
> > > my Wiki, which may only apply to my domain, but it sounds about right;
> > > 
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > 
> > > This occurs when kadmin is attempting to talk to the KDC with the wrong
> > > realm. Ussually this occurs if they client's default realm differs from
> > > the KDCs realm.
> > > 
> > >       * Run kadmin with the -r REALM.EXAMPLE.COM flag.
> > > 
> > > Cheers,
> > > ~Edward
> > > 
> > > On Thu, 2007-06-21 at 12:20 +0800, Anthony Ho wrote:
> > > > Hi Guys,
> > > > 
> > > > This is my first email to this mailing list. I've encountered some issue
> > > > with my kerberos implementation. I've already setup my kdc and i'm able
> > > > to kinit and klist my tickets. The only problem left is that i'm unable
> > > > to execute kadmin in remote client. Whenever i try to do that the
> > > > following errors popped up.
> > > > 
> > > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > > 
> > > > 
> > > > I'm actually connecting from my client pc bar.intra.foobar.com to
> > > > foo.intra.foobar.com(kdc)
> > > > 
> > > > my current krb5.conf is
> > > > 
> > > > [logging]
> > > >  default = FILE:/var/log/krb5libs.log
> > > >  kdc = FILE:/var/log/krb5kdc.log
> > > >  admin_server = FILE:/var/log/kadmind.log
> > > > 
> > > > [libdefaults]
> > > >  default_realm = INTRA.FOOBAR.COM
> > > >  dns_lookup_realm = false
> > > >  dns_lookup_kdc = false
> > > >  ticket_lifetime = 24h
> > > >  forwardable = yes
> > > > 
> > > > [realms]
> > > >  INTRA.FOOBAR.COM = {
> > > >   kdc = kerberos1.intra.foobar.com:88
> > > >   admin_server = kerberos1.intra.foobar.com:749
> > > >   default_domain = intra.foobar.com
> > > >  }
> > > > 
> > > > [domain_realm]
> > > >  .intra.foobar.com = INTRA.FOOBAR.COM
> > > >  intra.foobar.com = INTRA.FOOBAR.COM
> > > > 
> > > > [kdc]
> > > >  profile = /var/kerberos/krb5kdc/kdc.conf
> > > > 
> > > > [appdefaults]
> > > >  pam = {
> > > >    debug = false
> > > >    ticket_lifetime = 36000
> > > >    renew_lifetime = 36000
> > > >    forwardable = true
> > > >    krb4_convert = false
> > > >  }
> > > > 
> > > > *** NOTE ***	
> > > > kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
> > > > 
> > > > 
> > > > my current kadm5.keytab is 
> > > > 
> > > > slot KVNO Principal
> > > > ---- ----
> > > > ---------------------------------------------------------------------
> > > >    1    8            kadmin/admin@INTRA.FOOBAR.COM
> > > >    2    8            kadmin/admin@INTRA.FOOBAR.COM
> > > >    3    4         kadmin/changepw@INTRA.FOOBAR.COM
> > > >    4    4         kadmin/changepw@INTRA.FOOBAR.COM
> > > >    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > my current info on the jyho/admin principals
> > > > 
> > > > kadmin.local:  getprinc jyho/admin
> > > > Principal: jyho/admin@INTRA.FOOBAR.COM
> > > > Expiration date: [never]
> > > > Last password change: Tue Jun 12 23:07:35 MYT 2007
> > > > Password expiration date: [none]
> > > > Maximum ticket life: 1 day 00:00:00
> > > > Maximum renewable life: 0 days 00:00:00
> > > > Last modified: Tue Jun 12 23:07:35 MYT 2007
> > > > (root/admin@INTRA.FOOBAR.COM)
> > > > Last successful authentication: [never]
> > > > Last failed authentication: [never]
> > > > Failed password attempts: 0
> > > > Number of keys: 2
> > > > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > > > Key: vno 1, DES cbc mode with CRC-32, no salt
> > > > Attributes:
> > > > Policy: [none]
> > > > 
> > > > 
> > > > 
> > > > my /var/log/krb5kdc.log shows
> > > > 
> > > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > > >         jyho/admin@INTRA.FOOBAR.COM for
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > >         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
> > > >         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
> > > >         1182426770, etypes {rep=16 tkt=16 ses=16},
> > > >         jyho/admin@INTRA.FOOBAR.COM for
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > 
> > > > 
> > > > and my /var/log/kadmind.log shows
> > > > 
> > > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > > >         Request: kadm5_get_principal,
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > > >         addr=10.10.10.13
> > > >         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
> > > >         Request: kadm5_get_principal,
> > > >         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
> > > >         client=jyho/admin@INTRA.FOOBAR.COM,
> > > >         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
> > > >         addr=10.10.10.13
> > > >         
> > > > 
> > > > 
> > > > *** NOTE ***
> > > > Host/User	:	jyho
> > > > Hostname	:	foo.intra.foobar.com
> > > > Realm		:	INTRA.FOOBAR.COM
> > > > 
> > > > 
> > > > 
> > > > Any Ideas on this issue guys? thanks.
> > > > 
> > > 
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > > 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
edward9122 (38)
6/26/2007 2:06:16 AM
Make sure that the client and server is in sync with a time server.

Anthony Ho wrote:
> Hi Guys,
>
> This is my first email to this mailing list. I've encountered some issue
> with my kerberos implementation. I've already setup my kdc and i'm able
> to kinit and klist my tickets. The only problem left is that i'm unable
> to execute kadmin in remote client. Whenever i try to do that the
> following errors popped up.
>
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
>
>
> I'm actually connecting from my client pc bar.intra.foobar.com to
> foo.intra.foobar.com(kdc)
>
> my current krb5.conf is
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = INTRA.FOOBAR.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
>
> [realms]
>  INTRA.FOOBAR.COM = {
>   kdc = kerberos1.intra.foobar.com:88
>   admin_server = kerberos1.intra.foobar.com:749
>   default_domain = intra.foobar.com
>  }
>
> [domain_realm]
>  .intra.foobar.com = INTRA.FOOBAR.COM
>  intra.foobar.com = INTRA.FOOBAR.COM
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> *** NOTE ***	
> kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com
>
>
> my current kadm5.keytab is 
>
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    8            kadmin/admin@INTRA.FOOBAR.COM
>    2    8            kadmin/admin@INTRA.FOOBAR.COM
>    3    4         kadmin/changepw@INTRA.FOOBAR.COM
>    4    4         kadmin/changepw@INTRA.FOOBAR.COM
>    5    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>    6    3 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>    7    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>    8    4 kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>
>
> my current info on the jyho/admin principals
>
> kadmin.local:  getprinc jyho/admin
> Principal: jyho/admin@INTRA.FOOBAR.COM
> Expiration date: [never]
> Last password change: Tue Jun 12 23:07:35 MYT 2007
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Tue Jun 12 23:07:35 MYT 2007
> (root/admin@INTRA.FOOBAR.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
>
>
> my /var/log/krb5kdc.log shows
>
>         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
>         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
>         1182426770, etypes {rep=16 tkt=16 ses=16},
>         jyho/admin@INTRA.FOOBAR.COM for
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>         Jun 21 19:52:50 foo.intra.foobar.com krb5kdc[1927](info): AS_REQ
>         (7 etypes {18 17 16 23 1 3 2}) 10.10.10.14: ISSUE: authtime
>         1182426770, etypes {rep=16 tkt=16 ses=16},
>         jyho/admin@INTRA.FOOBAR.COM for
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM
>
>
>
>
> and my /var/log/kadmind.log shows
>
>         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
>         Request: kadm5_get_principal,
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
>         client=jyho/admin@INTRA.FOOBAR.COM,
>         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
>         addr=10.10.10.13
>         Jun 21 19:49:13 foo.intra.foobar.com kadmind[1911](Notice):
>         Request: kadm5_get_principal,
>         kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM, success,
>         client=jyho/admin@INTRA.FOOBAR.COM,
>         service=kadmin/foo.intra.foobar.com@INTRA.FOOBAR.COM,
>         addr=10.10.10.13
>         
>
>
> *** NOTE ***
> Host/User	:	jyho
> Hostname	:	foo.intra.foobar.com
> Realm		:	INTRA.FOOBAR.COM
>
>
>
> Any Ideas on this issue guys? thanks.
>
>   

0
xenguy (1)
7/5/2007 4:18:38 PM
Reply: