Cannot initialize GSS-API authentication, failing. - Kerberos

This is a discussion on Cannot initialize GSS-API authentication, failing. - Kerberos ; This doesn't look too promising. Any help, again, would be greatly appreciated. Solaris 10 6/06 release. Setting up a master KDC from scratch. ================================================== ================== See further down for spammy kadmin.local set up output that was generated seconds before the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Cannot initialize GSS-API authentication, failing.

  1. Cannot initialize GSS-API authentication, failing.

    This doesn't look too promising. Any help, again, would
    be greatly appreciated.

    Solaris 10 6/06 release. Setting up a master KDC from scratch.

    ================================================== ==================
    See further down for spammy kadmin.local set up output that
    was generated seconds before the following:

    bash-3.00# svcadm enable -r network/security/krb5kdc
    bash-3.00# svcs -l krb5kdc
    fmri svc:/network/security/krb5kdc:default
    name Kerberos key distribution center
    enabled true
    state online <-------------- good
    next_state none
    state_time Wed Jan 24 21:29:00 2007
    logfile /var/svc/log/network-security-krb5kdc:default.log
    restarter svc:/system/svc/restarter:default
    contract_id 100
    dependency require_all/error svc:/network/dns/client (online)
    bash-3.00# svcadm enable -r network/security/kadmin
    bash-3.00# svcs -l kadmin
    fmri svc:/network/security/kadmin:default
    name Kerberos administration daemon
    enabled true
    state maintenance <-------------- bad
    next_state none
    state_time Wed Jan 24 21:29:19 2007
    logfile /var/svc/log/network-security-kadmin:default.log
    restarter svc:/system/svc/restarter:default
    contract_id
    dependency require_all/error svc:/network/dns/client (online)
    bash-3.00#
    ================================================== ==================
    bash-3.00# /usr/sbin/kadmin -p jblaine/admin
    Authenticating as principal jblaine/admin@JBTEST with password.
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    ================================================== ==================
    bash-3.00# kinit -p jblaine/admin
    Password for jblaine/admin@JBTEST:
    bash-3.00# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: jblaine/admin@JBTEST

    Valid starting Expires Service principal
    01/24/07 21:29:58 01/25/07 21:29:58 krbtgt/JBTEST@JBTEST
    renew until 01/31/07 21:29:58
    bash-3.00#
    ================================================== ==================
    /var/adm/kadmin.log has this useful message repeating:

    Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize
    GSS-API authentication, failing.
    ================================================== ==================
    For what it's worth, here are the set up commands I entered
    seconds BEFORE what you see in the screen pastes that start
    this email:

    bash-3.00# kadmin.local
    Authenticating as principal root/admin@JBTEST with password.
    kadmin.local: addprinc jblaine/admin
    WARNING: no policy specified for jblaine/admin@JBTEST; defaulting to no
    policy
    Enter password for principal "jblaine/admin@JBTEST":
    Re-enter password for principal "jblaine/admin@JBTEST":
    Principal "jblaine/admin@JBTEST" created.
    kadmin.local: addprinc -randkey kiprop/mega1.mitre.org
    WARNING: no policy specified for kiprop/mega1.mitre.org@JBTEST;
    defaulting to no policy
    Principal "kiprop/mega1.mitre.org@JBTEST" created.
    kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
    Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    Triple DES cbc mode with HMAC/sha1 added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
    Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    type Triple DES cbc mode with HMAC/sha1 added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    type DES cbc mode with RSA-MD5 added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
    Entry for principal kadmin/changepw with kvno 3, encryption type AES-128
    CTS mode with 96-bit SHA-1 HMAC added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type Triple
    DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
    with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc
    mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
    Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    Triple DES cbc mode with HMAC/sha1 added to keytab
    WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    kadmin.local: quit
    bash-3.00#
    ================================================== ==================
    I am following this document. Yeah, it's Solaris Kerberos. But
    it's MIT Kerberos too.

    http://docs.sun.com/app/docs/doc/816...aosrjl2?a=view
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Cannot initialize GSS-API authentication, failing.

    I don't know if this exactly the error (since I'm running all MIT on
    Linux here), but my Wiki showed had the following entry;

    Error: kadmin: GSS-API (or Kerberos) error while initializing kadmin
    interface

    This occurs when kadmin is attempting to talk to the KDC with the wrong
    realm. Ussually this occurs if they client's default realm differs from
    the KDCs realm.

    * Run kadmin with the -r REALM.EXAMPLE.COM flag.

    I do remember at one point I had to run something like the following to
    get things to work;
    kadmin -r MYREALM.COM -s server.full.domain.com -p edward/admin@MYREALM.COM

    Hope this helps! Let us know how you get on.

    Regards
    Edward Murrell


    Jeff Blaine wrote:
    > This doesn't look too promising. Any help, again, would
    > be greatly appreciated.
    >
    > Solaris 10 6/06 release. Setting up a master KDC from scratch.
    >
    > ================================================== ==================
    > See further down for spammy kadmin.local set up output that
    > was generated seconds before the following:
    >
    > bash-3.00# svcadm enable -r network/security/krb5kdc
    > bash-3.00# svcs -l krb5kdc
    > fmri svc:/network/security/krb5kdc:default
    > name Kerberos key distribution center
    > enabled true
    > state online <-------------- good
    > next_state none
    > state_time Wed Jan 24 21:29:00 2007
    > logfile /var/svc/log/network-security-krb5kdc:default.log
    > restarter svc:/system/svc/restarter:default
    > contract_id 100
    > dependency require_all/error svc:/network/dns/client (online)
    > bash-3.00# svcadm enable -r network/security/kadmin
    > bash-3.00# svcs -l kadmin
    > fmri svc:/network/security/kadmin:default
    > name Kerberos administration daemon
    > enabled true
    > state maintenance <-------------- bad
    > next_state none
    > state_time Wed Jan 24 21:29:19 2007
    > logfile /var/svc/log/network-security-kadmin:default.log
    > restarter svc:/system/svc/restarter:default
    > contract_id
    > dependency require_all/error svc:/network/dns/client (online)
    > bash-3.00#
    > ================================================== ==================
    > bash-3.00# /usr/sbin/kadmin -p jblaine/admin
    > Authenticating as principal jblaine/admin@JBTEST with password.
    > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    > ================================================== ==================
    > bash-3.00# kinit -p jblaine/admin
    > Password for jblaine/admin@JBTEST:
    > bash-3.00# klist
    > Ticket cache: FILE:/tmp/krb5cc_0
    > Default principal: jblaine/admin@JBTEST
    >
    > Valid starting Expires Service principal
    > 01/24/07 21:29:58 01/25/07 21:29:58 krbtgt/JBTEST@JBTEST
    > renew until 01/31/07 21:29:58
    > bash-3.00#
    > ================================================== ==================
    > /var/adm/kadmin.log has this useful message repeating:
    >
    > Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize
    > GSS-API authentication, failing.
    > ================================================== ==================
    > For what it's worth, here are the set up commands I entered
    > seconds BEFORE what you see in the screen pastes that start
    > this email:
    >
    > bash-3.00# kadmin.local
    > Authenticating as principal root/admin@JBTEST with password.
    > kadmin.local: addprinc jblaine/admin
    > WARNING: no policy specified for jblaine/admin@JBTEST; defaulting to no
    > policy
    > Enter password for principal "jblaine/admin@JBTEST":
    > Re-enter password for principal "jblaine/admin@JBTEST":
    > Principal "jblaine/admin@JBTEST" created.
    > kadmin.local: addprinc -randkey kiprop/mega1.mitre.org
    > WARNING: no policy specified for kiprop/mega1.mitre.org@JBTEST;
    > defaulting to no policy
    > Principal "kiprop/mega1.mitre.org@JBTEST" created.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > Triple DES cbc mode with HMAC/sha1 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type Triple DES cbc mode with HMAC/sha1 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type DES cbc mode with RSA-MD5 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
    > Entry for principal kadmin/changepw with kvno 3, encryption type AES-128
    > CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/changepw with kvno 3, encryption type Triple
    > DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
    > with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc
    > mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > Triple DES cbc mode with HMAC/sha1 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: quit
    > bash-3.00#
    > ================================================== ==================
    > I am following this document. Yeah, it's Solaris Kerberos. But
    > it's MIT Kerberos too.
    >
    > http://docs.sun.com/app/docs/doc/816...aosrjl2?a=view
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Cannot initialize GSS-API authentication, failing.

    Figured it out. Just had to clear the maintenance
    state for kadmin (rolls eyes at self).

    Jeff Blaine wrote:
    > This doesn't look too promising. Any help, again, would
    > be greatly appreciated.
    >
    > Solaris 10 6/06 release. Setting up a master KDC from scratch.
    >
    > ================================================== ==================
    > See further down for spammy kadmin.local set up output that
    > was generated seconds before the following:
    >
    > bash-3.00# svcadm enable -r network/security/krb5kdc
    > bash-3.00# svcs -l krb5kdc
    > fmri svc:/network/security/krb5kdc:default
    > name Kerberos key distribution center
    > enabled true
    > state online <-------------- good
    > next_state none
    > state_time Wed Jan 24 21:29:00 2007
    > logfile /var/svc/log/network-security-krb5kdc:default.log
    > restarter svc:/system/svc/restarter:default
    > contract_id 100
    > dependency require_all/error svc:/network/dns/client (online)
    > bash-3.00# svcadm enable -r network/security/kadmin
    > bash-3.00# svcs -l kadmin
    > fmri svc:/network/security/kadmin:default
    > name Kerberos administration daemon
    > enabled true
    > state maintenance <-------------- bad
    > next_state none
    > state_time Wed Jan 24 21:29:19 2007
    > logfile /var/svc/log/network-security-kadmin:default.log
    > restarter svc:/system/svc/restarter:default
    > contract_id
    > dependency require_all/error svc:/network/dns/client (online)
    > bash-3.00#
    > ================================================== ==================
    > bash-3.00# /usr/sbin/kadmin -p jblaine/admin
    > Authenticating as principal jblaine/admin@JBTEST with password.
    > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    > ================================================== ==================
    > bash-3.00# kinit -p jblaine/admin
    > Password for jblaine/admin@JBTEST:
    > bash-3.00# klist
    > Ticket cache: FILE:/tmp/krb5cc_0
    > Default principal: jblaine/admin@JBTEST
    >
    > Valid starting Expires Service principal
    > 01/24/07 21:29:58 01/25/07 21:29:58 krbtgt/JBTEST@JBTEST
    > renew until 01/31/07 21:29:58
    > bash-3.00#
    > ================================================== ==================
    > /var/adm/kadmin.log has this useful message repeating:
    >
    > Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize
    > GSS-API authentication, failing.
    > ================================================== ==================
    > For what it's worth, here are the set up commands I entered
    > seconds BEFORE what you see in the screen pastes that start
    > this email:
    >
    > bash-3.00# kadmin.local
    > Authenticating as principal root/admin@JBTEST with password.
    > kadmin.local: addprinc jblaine/admin
    > WARNING: no policy specified for jblaine/admin@JBTEST; defaulting to no
    > policy
    > Enter password for principal "jblaine/admin@JBTEST":
    > Re-enter password for principal "jblaine/admin@JBTEST":
    > Principal "jblaine/admin@JBTEST" created.
    > kadmin.local: addprinc -randkey kiprop/mega1.mitre.org
    > WARNING: no policy specified for kiprop/mega1.mitre.org@JBTEST;
    > defaulting to no policy
    > Principal "kiprop/mega1.mitre.org@JBTEST" created.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > Triple DES cbc mode with HMAC/sha1 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type
    > DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type Triple DES cbc mode with HMAC/sha1 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal changepw/mega1.mitre.org with kvno 3, encryption
    > type DES cbc mode with RSA-MD5 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
    > Entry for principal kadmin/changepw with kvno 3, encryption type AES-128
    > CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/changepw with kvno 3, encryption type Triple
    > DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
    > with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc
    > mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > Triple DES cbc mode with HMAC/sha1 added to keytab
    > WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type
    > DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    > kadmin.local: quit
    > bash-3.00#
    > ================================================== ==================
    > I am following this document. Yeah, it's Solaris Kerberos. But
    > it's MIT Kerberos too.
    >
    > http://docs.sun.com/app/docs/doc/816...aosrjl2?a=view
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread