f



kerberos (SEAM) kadmin will not start

Solaris 9, core + packages + fully patched;
Posted this on comp.unix.solaris also:
After a lot of googling I am surprised to find little mention of this
problem. I have all my kerberos working fine on a Solaris 9 except
for
getting kadmind to run. It will fail to initialize the gss-api and a
apptrace of that shows that it cannot start a RPC. some message
boards
have identified the cause as not having /var/krb5/rcache/root
directory. I have that. some say I must have the wrong REALM identity
in my kdc.conf or krb5.conf. I don't think that's the case because
every other facet of kerberos works.
I get good logins using kerberos passwords and the krb5tgt is
refreshed and shows the updated start and exprie dates and shows the
date that I can refresh tgt tickets util.

I checked the RPC ports (/etc/services), I did a rpcinfo -p hostname
and all loooks to be well there.
the gssd rpc is 100234 but gssd is not running. "don't know if it
should be running or is it called by the RPC".
not much useful info in the /var/krb5/kadmin.log, just repeats the
same failure. I also notice that many of the message boards have this
question as unanswered. Many of these are old posts from years ago.
I saw one post where the SA was using Solaris 10 and he only had to
clear the maintenance state to get GSSAPI initialized.


Any takers? I have beat my feeble brain to death on this one.

more info; Well it wasn't the gssd I started that to test and still
get the GSSAPI initialized error.
I ran the apptrace with -v and specified the svc_register call as
follows;
bash-2.05# apptrace -v svc_register  /usr/lib/krb5/kadmind
apptrace: unexpected version: 3
kadmind  -> libnsl.so.1:svc_register(xprt = 0x2c168, prognum = 0x840,
versnum = 0x2, dispatch = 0x12724) = 0x0 errno = 0 (Error 0)
  xprt = (struct __svcxprt *) 0x2c168 (SVCXPRT) { Forward Reference }

  prognum = (rpcprog_t) 2112    (0x840)
  versnum = (rpcvers_t) 2       (0x2)
  dispatch = (void *) 0x12724
  return = (int) 0      (0x0)
kadmind: Cannot register RPC service.
So now I know this is a dispatch attempt to register pronum 2112
version 2 while trying to startup kadmind.
unfortunately this is all it means to me. Any ideas or direction are
greatly appreciated.
I have a feeling from what I have read that this problem is not as
severe in Solaris 10, for what ever that matters.

This is the exact command and response;

bash-2.05# /etc/init.d/kdc.master start
kadmind:Cannot initialize GSS-API authentication.

0
ecoke01 (2)
8/2/2007 12:56:33 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
443 Views

Similar Articles

[PageSpeed] 39

Reply:

Similar Artilces:

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Kadmin error: "kadmin: GSS-API (or Kerberos) error while initializing kadmin interface"
Hi There, I'm setting up a test kerberos/afs realm and I'm having a problem with kadmin. kadmin and kadmin.local run fine from the kdc, but kadmin gives the folloowing error when run from another machine: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The krbadm log shows no output, but kadmin.log on the kdc shows the following: Oct 11 23:15:02 kdc1 kadmind[3821](Notice): Request: kadm5_init, coeadmin/admin@MYREALM.COM, success, client=coeadmin/admin@MYREALM.COM, service=kadmin/admin@MYREALM.COM, addr=x.x.x.191, flavor=300001 I can kinit and everything else from the client, I just can't run kadmin. both client and server are RHEL4 with MIT krb5-1.5.1. compiled from source. I get the same error using RedHat's kadmin and the source-compiled one. kdc1 is the server and as1 is the client # on kdc kadmin: listprincs K/M@MYREALM.COM coeadmin/admin@MYREALM.COM host/as1.myrealm.com@MYREALM.COM host/kdc1.myrealm.com@MYREALM.COM kadmin/admin@MYREALM.COM kadmin/kdc1.myrealm.com@MYREALM.COM kadmin/changepw@MYREALM.COM kadmin/history@MYREALM.COM krbtgt/MYREALM.COM@MYREALM.COM I had fixed a previous error about not having kadmin/kdc.myrealm.com in the DB by adding the service principal. Now I have no errors in any of the logs, just an error on the console when I run kadmin What am I missing? Jason Edgecombe Solaris & Linux Administrator Mosaic Computing Group, College of Engineering UNC-Charlotte Phone: (704) 687-3514 ______________...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Hi We have run into problems running kadmin from one host. Error is kadmin: GSS-API (or Kerberos) error while initializing kadmin interface krb version 1.4 linux kernel version 2.4.21 Another host on the same subnet can connect (as well as lots of hosts from different subnets) and we see the reply from port 749 on the kadmind server at the interface of the host with the GSS-API error. Any ideas. Cheers Matt ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos+LDAP: kadmin.local and kadmin show different principals
Hi, I'm trying to configure an Ubuntu system with MIT Kerberos (v1.8.1), with LDAP as the storage back-end (Sun OpenDS v2.2.1). I see a very odd behavior, where my host entries only show up when I list principals using 'kadmin.local', but not when I use 'kadmin'. From what I read, the two should behave identically if kadmin.local uses the same principal to connect. Here's what I see from the two tools. Notice the "host/..." principal in the kadmin.local case. root@hydrogen:/etc/krb5kdc# kadmin -p nick/admin Authenticating as principal nick/admin with password. Password for nick/admin@EXAMPLE.NET: kadmin: list_principals ben@EXAMPLE.NET nick@EXAMPLE.NET nick/admin@EXAMPLE.NET K/M@EXAMPLE.NET krbtgt/EXAMPLE.NET@EXAMPLE.NET kadmin/admin@EXAMPLE.NET kadmin/changepw@EXAMPLE.NET kadmin/history@EXAMPLE.NET kadmin/hydrogen@EXAMPLE.NET kadmin: ^D root@hydrogen:/etc/krb5kdc# kadmin.local -p nick/admin Authenticating as principal nick/admin with password. kadmin.local: list_principals host/myhost.example.net@EXAMPLE.NET <=== Not listed above ben@EXAMPLE.NET nick@EXAMPLE.NET nick/admin@EXAMPLE.NET K/M@EXAMPLE.NET krbtgt/EXAMPLE.NET@EXAMPLE.NET kadmin/admin@EXAMPLE.NET kadmin/changepw@EXAMPLE.NET kadmin/history@EXAMPLE.NET kadmin/hydrogen@EXAMPLE.NET kadmin.local: ^D When I look at the LDAP logs, the two commands behave quite differently. My realm has two search trees root@hydrogen:/etc/krb5kdc# kdb5_ldap_util -D "cn=director...

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface #2
Hi, Can somebody tell me why I can't use kadmin remotely? I can start kadmin on the kdc server by using "kadmin -O". But when I tried to use /usr/kerberos/sbin/kadmin from a client machine to visit the kerberos database, the error as the email title occured. [root@gcnode029 sbin]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@test.com Valid starting Expires Service principal 07/20/06 17:54:02 07/21/06 17:54:00 krbtgt/test.com@test.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@gcnode029 sbin]# kadmin admin/admin Authenticating as principal <mailto:admin/admin@test.com> admin/admin@test.com with password. Password for <mailto:admin/admin@test.com> admin/admin@test.com: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface Thank you for any help! -- LiZhong ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Hi there, That problem may be fixed by "sync"ing the time of the server and client machines, before running kadmin. cheers, Nima D. Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca ...

Kerberos?
Who's using Kerberos authentication? Any pointers to procedure or documentation will be appreciated! Hi James, Not Me! But have a look at Doc 317141. That explains it in some more detail than the normal manual. Martin Bowes > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! > _______________________________________________ > Info-ingres mailing list > Info-ingres@cariboulake.com > http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres > James Latimer wrote: > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! me neither, but this Chapter 13 may be of use: http://downloads.ingres.com/download/connect.pdf ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kerberos
Hi I have kerberos server setup, and it works fine with iseries navigator, I have to create a AS400 object now using Java and kerberos ticket, has any one done it successfully, does anyone have any code sample "polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in news:fr3i5a$sn6$1@ss408.t-com.hr: > Hi > I have kerberos server setup, and it works fine with > iseries navigator, I have to create a AS400 object now > using Java and kerberos ticket, has any one done it > successfully, does anyone have any code sample You should read: http://publib.boulder...

kerberos?
Is anyone out there using kerberos authentication with their NonStop hosts? Between this and ssh, I am having trouble keeping up! Thanks in advance. ...

Re: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface #2
Hi there, That problem may be fixed by "sync"ing the time of the server and client machines, before running kadmin. cheers, Nima D. Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

Will Kerberos help for this?
I was thinking about the value of single signon for a small network of Solaris 10 development servers. Right now people send me their RSA pubkey and that's what they authenticate with to sign onto my systems (RSA only). From that point of view they already have single sign on. I looked briefly at the Solaris Security Administration Guide and they list only a few commands as being kerberized (ftp, rcp, telnet, ssh, and a few more). Given ssh via RSA only is much stronger than any password, is there any value in setting up Kerberos in this scenario? I guess if you have a large multi user de...

Kerberos
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos Administration Protocol
Hi, I'm looking for an open source Java implementation for the Kerberos administration protocol, for changing password, getprinc, delete_principal and so on. The main goals for kadmin, for the MIT implementation. Are there any libraries? If no, I would try to do an adHoc implementation. Are there documents? The only draft that I can see is http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 Thanks, Massimiliano > Date: Tue, 02 Jun 2009 15:28:32 +0200 > To: kerberos@mit.edu > From: "max@mascanc.net" <max@mascanc.net> > Subject: Kerberos Administration Protocol > > Hi, > > I'm looking for an open source Java implementation for the Kerberos > administration protocol, for changing password, getprinc, > delete_principal and so on. The main goals for kadmin, for > the MIT implementation. > > Are there any libraries? > > If no, I would try to do an adHoc implementation. Are there > documents? The only draft that I can see is > > http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 > > Thanks, > > > Massimiliano As it happens, I do have something that might be the start at this. It could stand a bit more "polishing" before being released, and at the moment, it's not on our priority list. If this is something of interest to you, we should certainly talk. You won't be at afsbpw 2009, by any chance? What I have ...

Kerberos
Hello, I read on the ibm site that KRB5A authentication is only supported on 5.2. We are currently runnin 5.1 and have an MCA based machine so there is no chance in upgrading to 5.2. Is there an open-source kerberos package for AIX, and how would you go about installing it. Any help would be greatly appreciated. Rich ...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

Web resources about - kerberos (SEAM) kadmin will not start - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 10:04:58 PM