> We heard that krb5-1.4.x would support the protocol (RPCSEC_GSS ?)
> necessary to allow a Solaris 10 kadmin client to work with an MIT
> kadmind.
>
> We tried upgrading our MIT server to 1.4.1 and we still cannot get it to
> work.
>
> We also heard that you need to add a principal of the form:
> kadmin/kdc_name
>
> I was unable to get clarification on the format of kdc_name. We've
> tried:
>
> kadmin/hostname.domain


This should be added automatically/ The hostname should be the
canonical fqdn of the KDC (i.e. not a CNAME)

> kadmin/hostname
> kadmin/cname (our cname for our kerberos server is 'kerberos' )
>
> Nothing made a difference.


We are trying the same: Solaris 10 kadmin client talking to MIT 1.4
kadmind. We use a command like

kadmin -p princ/admin

We are prompted for the password. On entering it we see in the kdc logs
that authentication happens:

May 19 11:34:44 ***** krb5kdc[16731](info): AS_REQ (5 etypes {17 16 23
3 1 }) xxx.xxx.xxx.xxx: ISSUE: authtime 1116498884, etypes {rep=16
tkt=16 ses=16}, princ/admin@MY.DOMAIN for kadmin/kdc.fdn@MY.DOMAIN

But the kadmin client responds:

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

It seems you get further than we do!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos