f



kadmin.local: Cannot find/read stored master key

Hello,

I've got problems setting up Krb5 on my Crux Linux host.
I did all nessessary things and always get stuck at the point trying to
create the keytab file with kadmin.local.
The program says:

Authenticating as principal root/admin@TESTSERVER.FREEBIS.DE with
password. 
kadmin.local: Cannot find/read stored master key while
initializing kadmin.local interface

Here is my /etc/krb5.conf:
-----------------------------------------------------------------------
[libdefaults]
        default_realm = TESTSERVER.FREEBIS.DE
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
        FREEBIS.DE = {
                kdc = 62.27.20.125:88
                admin_server = 62.27.20.125:750
                default_domain = localhost
        }


[domain_realm]
        .localhost = TESTSERVER.FREEBITS.DE
        localhost = TESTSERVER.FREEBITS.DE

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[kdc]
        profile = /var/krb5kdc/kdc.conf
-----------------------------------------------------------------------

Here is my /var/krb5kdc/kdc.conf:
-----------------------------------------------------------------------
[kdcdefaults]
        kdc_ports = 750,88

[realms]
        TESTSERVER.FREEBITS.DE = {
                master_key_type = des-cbc-crc
		database_name = /var/krb5kdc/principal
                admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
                acl_file = /var/krb5kdc/kadm5.acl
                key_stash_file = /var/krb5kdc/.k5.TESTSERVER.FREEBITS.DE
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
        }
-----------------------------------------------------------------------

Any help would be very appreciative.

Greetings from Germany
- Marcel Karras

--
Contact: toka@freebits.de
http://www.freebits.de
Unix, Linux && OpenSource
0
toka (4)
7/1/2004 8:35:07 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
3515 Views

Similar Articles

[PageSpeed] 50

On Thu, 1 Jul 2004 22:35:07 +0200
Marcel Karras <toka@freebits.de> wrote:

> Hello,
> 
> I've got problems setting up Krb5 on my Crux Linux host.
> I did all nessessary things and always get stuck at the point trying
> to create the keytab file with kadmin.local.
> The program says:
> 
> Authenticating as principal root/admin@TESTSERVER.FREEBIS.DE with
> password. 
> kadmin.local: Cannot find/read stored master key while
> initializing kadmin.local interface
> 
> Here is my /etc/krb5.conf:
> ---------------------------------------------------------------------
> [libdefaults]
>         default_realm = TESTSERVER.FREEBIS.DE

My fault                                    ^ - a T is missing

>         dns_lookup_realm = false
>         dns_lookup_kdc = false
> 
> [realms]
>         FREEBIS.DE = {
>                 kdc = 62.27.20.125:88
>                 admin_server = 62.27.20.125:750
>                 default_domain = localhost
>         }
> 
> 
> [domain_realm]
>         .localhost = TESTSERVER.FREEBITS.DE
>         localhost = TESTSERVER.FREEBITS.DE
> 
> [logging]
>         default = FILE:/var/log/krb5libs.log
>         kdc = FILE:/var/log/krb5kdc.log
>         admin_server = FILE:/var/log/kadmind.log
> 
> [kdc]
>         profile = /var/krb5kdc/kdc.conf
> ---------------------------------------------------------------------
> --
> 
> Here is my /var/krb5kdc/kdc.conf:
> ---------------------------------------------------------------------
> --[kdcdefaults]
>         kdc_ports = 750,88
> 
> [realms]
>         TESTSERVER.FREEBITS.DE = {
>                 master_key_type = des-cbc-crc
> 		database_name = /var/krb5kdc/principal
>                 admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
>                 acl_file = /var/krb5kdc/kadm5.acl
>                 key_stash_file =
>                 /var/krb5kdc/.k5.TESTSERVER.FREEBITS.DE kdc_ports =
>                 750,88 max_life = 10h 0m 0s
>                 max_renewable_life = 7d 0h 0m 0s
>         }
> ---------------------------------------------------------------------
> --
> 
> Any help would be very appreciative.
> 
> Greetings from Germany
> - Marcel Karras
> 
> --
> Contact: toka@freebits.de
> http://www.freebits.de
> Unix, Linux && OpenSource


-- 
Contact: toka@freebits.de
http://www.freebits.de
Unix, Linux && OpenSource
0
toka (4)
7/7/2004 6:53:55 AM
Reply:

Similar Artilces:

"Stored master key is corrupted while initializing kadmin.local interface"
Howdy folks, I'm running an MIT KDC for two small realms (a few dozen principals each) on FreeBSD 4-STABLE for i386. I haven't tried to manipulate any principals via the kadmin interface ia a while (probably two weeks), and when I tried it recently I ran across an unusual problem: kadmind wasn't running. Thinking that that was unusual, but not a bit deal, I attempted to fire up kadmind: # /usr/local/krb5/sbin/kadmind -r SEEKINGFIRE.PRV kadmind: Stored master key is corrupted while initializing, aborting Oh, that's not good. So I tried via via kadmin.local (which should give the same result, I know): # /usr/local/krb5/sbin/kadmin.local Authenticating as principal tillman/admin@SEEKINGFIRE.PRV with password. kadmin.local: Stored master key is corrupted while initializing kadmin.local interface That's definitely not working. krb5kdc is running and working fine, but without kadmin I'm probably headed for trouble :-) So I thought I'd try my other realm. I skipped the kadmind and went straight to kadmin.local: # /usr/local/krb5/sbin/kadmin.local -r ROSPA.CA Authenticating as principal tillman/admin@SEEKINGFIRE.PRV with password. kadmin.local: Stored master key is corrupted while initializing kadmin.local interface Note that this realm is on the same server, but has it's own directory and it's own stashed master key (.k5.ROSPA.CA versus ..k5.SEEKINGFIRE.PRV). I have multiple copies of both on-line and tape backups of the stashed master k...

krb5kdc: Cannot find master key record in database
Hi I have a Kerberos server that has been running for months with out any problems. Today when I went to log into my kdc machine I had the following error in my logs: May 09 10:47:52 svgauth1 krb5kdc[2451](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/VC.LS.CBN@LS.CBN' May 09 10:47:52 svgauth1 krb5kdc[2451](info): TGS_REQ (4 etypes {18 17 16 23}) 172.20.133.141: PROCESS_TGS: authtime 0, <unknown client> for <unknown server>, Server not found in Kerberos database I am using the ldap backend and I checked in LDAP and everything looked ok so I attempted to restart my kdc. My kdc failed to restart with: krb5kdc: Cannot find master key record in database - while fetching master keys list for realm VC.LS.CBN I have the K/M@VC.LS.CBN principal in the ldap directory and it looks ok. Any ideas as to where my problem may be? Can this entry be corrupted some how and not load? I am running the following versions: krb5-1.8.3-45.1 krb5-plugin-kdb-ldap-1.8.3-45.1 krb5-client-1.8.3-45.1 krb5-32bit-1.8.3-45.1 pam-krb5-4.4-1 krb5-server-1.8.3-45.1 Thanks for any insight. Tom Parker ...

Kerberos+LDAP: kadmin.local and kadmin show different principals
Hi, I'm trying to configure an Ubuntu system with MIT Kerberos (v1.8.1), with LDAP as the storage back-end (Sun OpenDS v2.2.1). I see a very odd behavior, where my host entries only show up when I list principals using 'kadmin.local', but not when I use 'kadmin'. From what I read, the two should behave identically if kadmin.local uses the same principal to connect. Here's what I see from the two tools. Notice the "host/..." principal in the kadmin.local case. root@hydrogen:/etc/krb5kdc# kadmin -p nick/admin Authenticating as principal nick/admin with password. Password for nick/admin@EXAMPLE.NET: kadmin: list_principals ben@EXAMPLE.NET nick@EXAMPLE.NET nick/admin@EXAMPLE.NET K/M@EXAMPLE.NET krbtgt/EXAMPLE.NET@EXAMPLE.NET kadmin/admin@EXAMPLE.NET kadmin/changepw@EXAMPLE.NET kadmin/history@EXAMPLE.NET kadmin/hydrogen@EXAMPLE.NET kadmin: ^D root@hydrogen:/etc/krb5kdc# kadmin.local -p nick/admin Authenticating as principal nick/admin with password. kadmin.local: list_principals host/myhost.example.net@EXAMPLE.NET <=== Not listed above ben@EXAMPLE.NET nick@EXAMPLE.NET nick/admin@EXAMPLE.NET K/M@EXAMPLE.NET krbtgt/EXAMPLE.NET@EXAMPLE.NET kadmin/admin@EXAMPLE.NET kadmin/changepw@EXAMPLE.NET kadmin/history@EXAMPLE.NET kadmin/hydrogen@EXAMPLE.NET kadmin.local: ^D When I look at the LDAP logs, the two commands behave quite differently. My realm has two search trees root@hydrogen:/etc/krb5kdc# kdb5_ldap_util -D "cn=director...

Forgot Kerberos Master Key
Dear Team, I forgot kerberos master key but i have key stash file. How can I get the clear text password from the stash file. Regards, Bharathikannan R ...

kadmind: Stored master key is corrupted while initializing, aborting
Hi: I'm trying to get kerberos V up and running and I've been hitting weird problems on solaris 10. The latest is this error when trying to start kadmind: kadmind: Stored master key is corrupted while initializing, aborting Any suggestions on why this is happening and how to fix it? FWIW I am building kerberos from source. TIA! On Apr 27, 3:05=A0pm, Rob <isanamesp...@gmail.com> wrote: > Hi: > > I'm trying to get kerberos V up and running and I've been hitting > weird problems on solaris 10. > > The latest is this error when trying to start kadmind: > kadmind: Stored master key is corrupted while initializing, aborting > > Any suggestions on why this is happening and how to fix it? > > FWIW I am building kerberos from source. > > TIA! There is probably value in adding that I'm using MIT Kerberos of which I downloaded and compiled from MIT's site. On Mon, Apr 27, 2009 at 02:21:51PM -0700, Rob wrote: > On Apr 27, 3:05�pm, Rob <isanamesp...@gmail.com> wrote: > > Hi: > > > > I'm trying to get kerberos V up and running and I've been hitting > > weird problems on solaris 10. > > > > The latest is this error when trying to start kadmind: > > kadmind: Stored master key is corrupted while initializing, aborting > > > > Any suggestions on why this is happening and how to fix it? > > > > FWIW I am building kerberos from source. &...

Read key store file generated from Java keytools
Hi there, I need to read key store file to get private key generated by Java's KeyTools from PHP. But seams like the keystore file is not in standard format that PHP can use. I need to do so because I created a WebSevice with Java/Tomcat. Need to create secured connection between PHP client and the Java server. Anyway has similiar experience to share? Thanks! Li ...

Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. --=20 MAT ...

Starting KDC daemon on Redhat9 fails not finding master key
Hi, I followed the directions in Brian Tung's article on Kerberos for Dummies to set up a KDC on a Redhat9 Linux system. Upon trying to start the daemon, I get a failure, with the log indicating that the master key can't be located. Where is the master key stored and what configuration file/parameter indicates this? I assume, per the directions, that I can kick off the KDC daemon before the Kadmin one, as the article seems to say. Thanks for any help. PL -- Keep it brief: http://www2.paypc.com/mailrules/ ...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

Is it getting harder to find new PC releases in your local stores?
I live in Torrance CA (not exactly a small town) and every time a new PC release comes out that I want (Tomb Raider in this case) it takes like a week before the Best Buys and EBs have it. My local EB has delegated the PC games to an old shelf in the back of the store. This game came out on the 13th and I still can't find it anywhere in my town. Noticed this sort of pushing the PC to smaller further-back shelves in most UK stores for a year or 2 ..can only get worse ;) Mouse @@@@ "Kyle Rodgers" <sdes@aol.com> wrote in message news:zeb1g.2979$Lm5.2806@newssvr1...

[vim] Function to find out highlighting style + region local key bindings?
Hi, Does somebody know an answer to these 3 question/problems? 1. Is there a function in Vim 6.2 for finding out in which style the character under the cursor is being highlighted? I.e. is it possible to define a function that behaves differently depending on which syntactic element the cursor is on? 2. Is it possible to restrict certain key binding to certain regions only? I.e. is it possible to invoke different commands with the same key press depending on the cursor's location? 3. Is it possible to shadow a keybinding and to invoke the command that would have been call...

Re: Is it getting harder to find new PC releases in your local stores?
Trimble Bracegirdle" <NOspam@spam.not> wrote in message news:444547da_2@mk-nntp-2.news.uk.tiscali.com... > Noticed this sort of pushing the PC to smaller further-back shelves in most > UK stores for a year or 2 ..can only get worse ;) So far, my local EB haven't pushed PC games further back in stores.PC games are in the same place as they always were, but take up a lot less shelves and space on the wall than they used to. Other shelves are taken up with Xbox, play station, etc. I saw Keepsake and Scratches in EB yesterday and will look soon to see if they have Dreamfall ...

kadmin and other errors: "Master key does not match database while initializing ..."
My Kadmin daemon will no longer start. It gives me: [root@kdc3 root]# /etc/init.d/kadmin start Starting Kerberos 5 Admin Server: kadmind: Master key does not match database while initializing, aborting I get a similar error when I do "krb5_util dump file.dump". From the Kerberos FAQ it sounds like a problem with my kerberos database but I didn't find any references on how to fix it. Can someone point me in the right direction? This is Fedora Core 1. Let me know what other relevant information might provide useful. Thanks Austin ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "godber" == Austin Godber <godber@mars.asu.edu> writes: godber> My Kadmin daemon will no longer start. It gives me: godber> [root@kdc3 root]# /etc/init.d/kadmin start godber> Starting Kerberos 5 Admin Server: kadmind: Master key does not match godber> database while initializing, aborting godber> I get a similar error when I do "krb5_util dump file.dump". godber> From the Kerberos FAQ it sounds like a problem with my kerberos godber> database but I didn't find any references on how to fix it. Can godber> someone point me in the right direction? godber> This is Fedora Core 1. Let me know what other relevant information godber> might provide useful. This is not really enough information to f...

Migrating database between architectures: "Stored master key is corrupted"
Howdy, I'm attempting to move an MIT krb5 database from an older Intel (32-bit x86) machine running FreeBSD -current and krb5-1.3.4 to a SparcStation 10 (32-bit Sparc) running NetBSD -current mit-krb5-1.3.4nb1. I believe that everything is working as far as the infrastructure is concerned (boot scripts, etc), but I'm unable to start the kdc daemon on the sparc: [root@surya /var/krb5kdc]# cat /var/log/krb5kdc.log krb5kdc: Stored master key is corrupted - while fetching master key K/M for realm (blah ...) I've scp'ed the master key across, and md5'ed it to confirm that it arrived undamaged. It looks fine. Is there a chance that the problem is with endianness? Assuming that it is, is there a way to convert the stashed master key? TIA for your time and assistance, - Tillman -- Page 38: Be sure that, in the excitement of creating a totally rad password, you resist the temptation to tell someone just to show off how smart you are. - Harley Hahn, _The Unix Companion_ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos The stash file is byte order dependent. This is painfully stupid, but none the less true. If you know your master passwerd you can run kdb5_util stash again. If not, you can swap around the bytes of the key length in your favorite binary file editor. ________________________________________________ Kerberos mailing list Kerbero...

Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...

how to find out key size from public key?
If I have a public key, how can find out the key size, e.g. 1024, 2048, etc? TIA ...

waiting for pressed key and reading key
Hi everyone, I am interested to include in a program a part in which the program waits until either of two specific keys are pressed, and once this happens waiting is over and the one key (ut of the two) which was pressed determines the value of a variable. I basically want to use as a mean to read user confirmation. I figured out how to do something in this line by using a DynamicModule, with an EventHandler that wait for a mouse click. The problem I have with that is that I would prefer to use keys and also that "MouseClicked" event requires the cursor to be posit...

Kadmin error: "kadmin: GSS-API (or Kerberos) error while initializing kadmin interface"
Hi There, I'm setting up a test kerberos/afs realm and I'm having a problem with kadmin. kadmin and kadmin.local run fine from the kdc, but kadmin gives the folloowing error when run from another machine: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The krbadm log shows no output, but kadmin.log on the kdc shows the following: Oct 11 23:15:02 kdc1 kadmind[3821](Notice): Request: kadm5_init, coeadmin/admin@MYREALM.COM, success, client=coeadmin/admin@MYREALM.COM, service=kadmin/admin@MYREALM.COM, addr=x.x.x.191, flavor=300001 I can kinit and everything else from the client, I just can't run kadmin. both client and server are RHEL4 with MIT krb5-1.5.1. compiled from source. I get the same error using RedHat's kadmin and the source-compiled one. kdc1 is the server and as1 is the client # on kdc kadmin: listprincs K/M@MYREALM.COM coeadmin/admin@MYREALM.COM host/as1.myrealm.com@MYREALM.COM host/kdc1.myrealm.com@MYREALM.COM kadmin/admin@MYREALM.COM kadmin/kdc1.myrealm.com@MYREALM.COM kadmin/changepw@MYREALM.COM kadmin/history@MYREALM.COM krbtgt/MYREALM.COM@MYREALM.COM I had fixed a previous error about not having kadmin/kdc.myrealm.com in the DB by adding the service principal. Now I have no errors in any of the logs, just an error on the console when I run kadmin What am I missing? Jason Edgecombe Solaris & Linux Administrator Mosaic Computing Group, College of Engineering UNC-Charlotte Phone: (704) 687-3514 ______________...

How do I find the virtual key code for a certain key?
Hi everybody, On the internet, I've found several lists of virtual key codes for use in WM_KEYDOWN and WM_KEYUP, but not all of them. How can I find out the (virtual) key code for a certain key? Is there a complete list? The keys I'm specifically looking for are � and �. Thanks in advance, Ikke Ikke wrote: > On the internet, I've found several lists of virtual key codes for use in > WM_KEYDOWN and WM_KEYUP, but not all of them. > > How can I find out the (virtual) key code for a certain key? Is there a > complete list? You're in a wrong newsgroup, Ikk...

Using XMLHttpRequest run locally for local data reading
In continuation of http://groups.google.com/group/comp.lang.javascript/msg/787389d10afcaf77 Test (unzip and run AJAX/test/index.html): http://sites.google.com/site/schoolsring/javascript LocalDataReadingTest.zip In each test: 1) attempt to read xml file in the same directory 2) attempt to read xml file in subdirectory 3) attempt to read xml file in top directory 4) attempt to read xml file in sibling directory Each reading made twice: one time with without overriding MIME type, next time with implied "text/xml" type. 1) IE Internet Explorer 8.0 / Windows ...

finding out parent DNS of local DNS or local forwarder
Hello, 1. What is the way to find out the parent DNS of local DNS server? I have no access to the local DNS, except port 53. 2. If there is a way to find out parent DNS of local DNS, can I trace all the DNSes until the root server? -- Best Regards, Vishwas. ivishwas.googlepages.com He gives twice who gives quickly. -- Publisus Mimus ...

mc finds more than `find` finds?
I'm still searching for a way to know the pid of eg. the instance of `wily` which is has a certain file open. `pgrep wily` lists all the instances of 'wily' I was hoping that, I'd find which wily has opened file *CONTROL* by:- for PID in `pgrep wily`; do find /proc/$PID -exec grep -l "CONTROL" {} \; >> trace; done --- that's supposed to be ONE line --- Using successive refinement: first I used mc to browse /proc/24357 to find a suitable search target. Obviously "wily" would be there. Then I 'confirmed ?': find /proc/24357 -exec grep "wily" {} \; but that failed, although mc could find several "wily" in /proc/24357 OK, we know that /proc is some kind of spooky FS ? So, I copied to /find, [using mc] 2 of the files of /proc/24357 which contain "wily", and of course, they are found by: find /find -exec grep "wily" {} \; == ../status ../environ How can mc look into /proc/24357 and show the contents if the basic `find` can't see it? On 2015-11-28, WhoCares@gmail.com <WhoCares@gmail.com> wrote: > I'm still searching for a way to know the pid of eg. the instance of > `wily` which is has a certain file open. > > `pgrep wily` lists all the instances of 'wily' > > I was hoping that, I'd find which wily has opened file *CONTROL* by:- > for PID in `pgrep wily`; do find /proc/$PID -exec g...

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Hi We have run into problems running kadmin from one host. Error is kadmin: GSS-API (or Kerberos) error while initializing kadmin interface krb version 1.4 linux kernel version 2.4.21 Another host on the same subnet can connect (as well as lots of hosts from different subnets) and we see the reply from port 749 on the kadmind server at the interface of the host with the GSS-API error. Any ideas. Cheers Matt ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

ow-find without sun 'find' key
I've just moved over to a windows platform from solaris and have installed the windows version of xemacs 21.4. I'm having severe withdrawal symptoms from the loss of the sun 'find' key. So to correct this I would like to bind the M-s key combo to the ow-find function and M-S-s to the ow-find-backward function. I have 2 problems trying to achieve this. 1. I have sucessfully bound the M-s keys to the 'ow-find function using the following code in the init.el file. (define-key global-map [(meta ?s)] 'ow-find) However when I execute the function it returns the follo...

Web resources about - kadmin.local: Cannot find/read stored master key - comp.protocols.kerberos

Kerberos vulnerabilities enable code smuggling
Developers of MIT's Kerberos authentication suite have discovered vulnerabilities that can be used to inject malicious code.

Ubuntu – Software Packages in "precise-updates", Subsection libs
packages Skip to content » Ubuntu » Packages » precise-updates » libs Software Packages in "precise-updates", Subsection libs 389-ds-base-libs ...


Kerberos FAQ, v2.0 (last modified 8/18/2000)
Kerberos FAQ, v2.0 (last modified 8/18/2000)

Index
Index

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Kerberos FAQ, v2.0 (last modified 8/18/2000)

Network
Network

Resources last updated: 3/10/2016 11:02:29 PM