kadmin problem: "Client not found in Kerberos database while initializing kadmin interface"

  • I'm having problems setting up Single Sign On on my Mac (Snow Leopard). My program was giving the error

    accept_sec_context: Unspecified GSS failure. Minor code may provide more information: \
    Key table entry not found (000d0000:96c73ab5)
    

    When using the Mac built in library (/usr/lib/libgssapi_krb.dylib). It works fine with Likewise.

    I'd set up an identity for myself in Ticket Viewer, and issued a ticket. I'm now trying to go through the set up process manually from the terminal. So far so good, up until I get to the Install the Slave KDCs step, where I can't start kadmin. I get the following output:

    $ kadmin
    Authenticating as principal me/[email protected] with password.
    kadmin: Client not found in Kerberos database while initializing kadmin interface
    

    I added myself to the keytab using ktadd in kadmin.local, but this hasn't worked. I'm stumped as to how to progress from here.

    Update

    Running kadmin -p me prompts me for my password, but still rejects me with error:

    kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface
    
  • user1686

    user1686 Correct answer

    10 years ago

    "Client not found in database" means the principal you used, me/admin, does not exist.

    "Required KADM5 principal missing" means that your Kerberos database is missing principals for kadmin/fqdn.of.the.kdc@CORP.ORG as well as the legacy fallback kadmin/[email protected]. Add them through kadmin.local.

    "Missing keytab entry" usually refers to the service principal on the server's keytab (e.g. host/fqdn.of.my.server).

    I'm unable to use any of the principals which contain a `/`. I ensured the principal is indeed added using `list_principals`, but when doing `kadmin` I get: "Client not found in Kerberos database" Any intuition on what might be causing this?

    Are you able to use the same principals with regular `kinit`? Did you specify the correct realm?

    No, I'm not able to use principals containing a `/` with `kinit` either. Yes, I ensured that the realm provided is correct.

    What information do you see in the KDC logs (usually in the server's syslog) when kinit fails? Can you "getprinc" that principal by name inside kadmin? Can you "getprinc" that principal by name inside `kadmin.local` directly on the KDC?

    I have pasted the logs for kinit here, but they don't seem to contain anything interesting. I am able to get the principal using "getprinc" in `kadmin.local`. However, I can't use kadmin because it fails to find the admin user (for failing kadmin, the logs can be found here).

    Those are the client logs, I'm more curious about KDC logs. Specifically, are you actually editing the same KDC database that you're trying to log in to?

    I'm not getting any KDC logs on kinit, but I do get some logs when I do krb5kdc, which are available here. I don't know how to verify if it's the same KDC database, but I can confirm if I add a user e.g. "User" I am able to do kinit, but if I add a user "User/Admin", kinit fails. This should confirm that it's the same database.

    If you're not getting any KDC logs, then it really sounds very much like your kinit or kadmin are connecting to a completely different KDC than kadmin.local does...

    This answer has been marked as correct, but reading the comments, it does not seem to be fixed. I have a similar problem running kadmin -p [email protected] list_principals. @fredley, can you tell us what you did ?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used