[kerberos-discuss] kadmind problems on 2008.05

Sun, 10 Aug 2008 14:47:35 +0200 

Hello list,
   I am configuring Kerberos backed by LDAP server, in a local zone on
OpenSolaris 2008.05. I managed to get KDC working and created some admin
principals using kadmin.local. However, I can't get kadmind to work...

It fails with following error:
Unable to set RPCSEC_GSS service names ('kadmin at krb.testing.c0ff33.net,
  changepw at krb.testing.c0ff33.net')

Before trying to start kadmind, I exported keytab for these princs to
/etc/krb5/kadm5.keytab. This file exist and it is readable:

# klist -k /etc/krb5/kadm5.keytab
Keytab name: FILE:/etc/krb5/kadm5.keytab
KVNO Principal
---- ----------------------------------------------------------
    2 kadmin/krb.testing.c0ff33.net at TESTING.C0FF33.NET
(...)
    2 changepw/krb.testing.c0ff33.net at TESTING.C0FF33.NET
(...)
    2 kadmin/changepw at TESTING.C0FF33.NET
(...)

krb.testing.c0ff33.net is FQDN name of this KDC/kadmin server, and
TESTING.C0FF33.NET is the name of realm. When I use kadmin.local I can
see that these princs do exist in KDB:

# kadmin.local
Authenticating as principal root/admin at TESTING.C0FF33.NET with password.
kadmin.local:  getprincs
(...)
kadmin/krb.testing.c0ff33.net at TESTING.C0FF33.NET
changepw/krb.testing.c0ff33.net at TESTING.C0FF33.NET

I also double checked my DNS and reverse-DNS settings:
# host -t TXT _kerberos.testing.c0ff33.net
_kerberos.testing.c0ff33.net descriptive text "TESTING.C0FF33.NET"
# host -t SRV _kerberos._tcp.testing.c0ff33.net
_kerberos._tcp.testing.c0ff33.net has SRV record 10 1 88
krb.testing.c0ff33.net.
# host -t SRV _kerberos._udp.testing.c0ff33.net
_kerberos._udp.testing.c0ff33.net has SRV record 10 1 88
krb.testing.c0ff33.net.
# host -t SRV _kerberos-adm._tcp.testing.c0ff33.net
_kerberos-adm._tcp.testing.c0ff33.net has SRV record 10 1 749
krb.testing.c0ff33.net.
# host 10.113.0.15
15.0.113.10.in-addr.arpa domain name pointer krb.testing.c0ff33.net.

kadmin.local is working flawlessly, so I don't think this problem is
LDAP-related. I guess it's something in my Kerberos setup.

I mostly used procedure lied out here:
http://docs.sun.com/app/docs/doc/816-4557/ggdqi?a=view

BTW. I also read discussion about removing of kadm5.keytab, but it looks
like I have older version of kadmind, as it complains if
/etc/krb5/kadm5.keytab does not exist.

Any ideas how to get kadmind working? I've done it in the past on
Solaris 10U5, and don't remember such problem.

Thanks in advance
Radek

Reply via email to