kadmin problem: "Client not found in Kerberos database while initializing kadmin interface"
I'm having problems setting up Single Sign On on my Mac (Snow Leopard). My program was giving the error
accept_sec_context: Unspecified GSS failure. Minor code may provide more information: \ Key table entry not found (000d0000:96c73ab5)
When using the Mac built in library (
/usr/lib/libgssapi_krb.dylib). It works fine with Likewise.
I'd set up an identity for myself in Ticket Viewer, and issued a ticket. I'm now trying to go through the set up process manually from the terminal. So far so good, up until I get to the
Install the Slave KDCsstep, where I can't start kadmin. I get the following output:
$ kadmin Authenticating as principal me/[email protected] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface
I added myself to the keytab using
kadmin.local, but this hasn't worked. I'm stumped as to how to progress from here.
kadmin -p meprompts me for my password, but still rejects me with error:
kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface
"Client not found in database" means the principal you used,
me/admin, does not exist.
"Required KADM5 principal missing" means that your Kerberos database is missing principals for
kadmin/fqdn.of.the.kdc@CORP.ORGas well as the legacy fallback
kadmin/[email protected]. Add them through
"Missing keytab entry" usually refers to the service principal on the server's keytab (e.g.
I'm unable to use any of the principals which contain a `/`. I ensured the principal is indeed added using `list_principals`, but when doing `kadmin` I get: "Client not found in Kerberos database" Any intuition on what might be causing this?
Are you able to use the same principals with regular `kinit`? Did you specify the correct realm?
No, I'm not able to use principals containing a `/` with `kinit` either. Yes, I ensured that the realm provided is correct.
What information do you see in the KDC logs (usually in the server's syslog) when kinit fails? Can you "getprinc" that principal by name inside kadmin? Can you "getprinc" that principal by name inside `kadmin.local` directly on the KDC?
I have pasted the logs for kinit here, but they don't seem to contain anything interesting. I am able to get the principal using "getprinc" in `kadmin.local`. However, I can't use kadmin because it fails to find the admin user (for failing kadmin, the logs can be found here).
Those are the client logs, I'm more curious about KDC logs. Specifically, are you actually editing the same KDC database that you're trying to log in to?
I'm not getting any KDC logs on kinit, but I do get some logs when I do krb5kdc, which are available here. I don't know how to verify if it's the same KDC database, but I can confirm if I add a user e.g. "User" I am able to do kinit, but if I add a user "User/Admin", kinit fails. This should confirm that it's the same database.
If you're not getting any KDC logs, then it really sounds very much like your kinit or kadmin are connecting to a completely different KDC than kadmin.local does...