scotty adams <[EMAIL PROTECTED]> writes: > Hi, > > This is what i am getting after all > > bash-2.05# kadmin scotty > Enter Password: > Enter Password: > kadmin: Preauthentication failed while initializing kadmin interface > > kdc.log shows: > > Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88): > PREAUTH_FAILED: scotty/[EMAIL PROTECTED] for kadmin/[EMAIL PROTECTED], > Preauthentication failed > > Any help on this ... appreciated > > Thanks, > scotty > > scotty adams <[EMAIL PROTECTED]> wrote: I tried the following: > > bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com > Enter Password: > kadmin: Incorrect password while initializing kadmin interface > > even the password that i used is surely correct!!! > > Please point me out to these two errors. > > Regards, > Scotty
"Preauthentication failed" probably doesn't mean your password is incorrect. At least, in my test environment, I get "Incorrect password" if I botch the password with preauth turned on. The first thing I would look at with that is to see if time is sync'd up. The 2nd thing I'd try is to see if it works if REQUIRES_PRE_AUTH is turned off on the principal. When you're getting messages like these--"preauth failed" or "bad pw", that's not a kadm5 problem, that's a krb5 problem. You can separate out and simplify your problem by trying kinit and kvno first. When you get those to work, then you can fool around with kadmin. For these experiments, you may need to set password or examine what's in the kdb. On your kdc, as root, run kadmin.local then you can do things like getprinc listprincs cpw xst etc. Use all but the last liberally. Use the last only when you intend to replace a keytab that you are convinced is broken. Below, see scotty.scottie.navlink.com . Use what you really have - is that really your admin_server host? If that is, you should probably have something like: [libdefaults] default_realm = SCOTTIE.COMPANY.COM [realms] SCOTTIE.COMPANY.COM = { kdc = scotty.scottie.navlink.com:88 master_kdc = scotty.scottie.navlink.com:88 admin_server = scotty.scottie.navlink.com:749 } [domain_realms] .navlink.com = SCOTTIE.COMPANY.COM in your krb5.conf file, plus at least a local dns environment where a lookup of scotty.scottie.navlink.com goes to the right thing, and a reverse arpa lookup of the ipaddress also points back at the same name. So, the commands you should get working are (client machine): ping -s scotty.scottie.navlink.com ^C kinit [EMAIL PROTECTED] kinit scotty/[EMAIL PROTECTED] kvno kadmin/[EMAIL PROTECTED] ?? kvno kadmin/scottie.beirut.navlink.com@@SCOTTIE.COMPANY.COM klist -fean (on the kdc): cd (wherever you keey kadm5.keytab, which might be named in kdc.conf): klist -ket kadm5.keytab kinit -kt kadm5.keytab kadmin/[EMAIL PROTECTED] klist -fean kadmin.local getprinc kadmin/[EMAIL PROTECTED] ?? getprinc kadmin/[EMAIL PROTECTED] getprinc [EMAIL PROTECTED] getprinc scotty/[EMAIL PROTECTED] the ping proves dns & network routing work; check the ip address. the 1st 2 kinit's prove you can authenticate. the kvno proves you can get a service ticket The kdc kinit proves that you have a working keytab on that machine. Note various etypes & kvno's in output: make sure they're consistent. If you can't get the kinit commands to work, you can look at the actual network traffic to see what is really going on. Check out http://lists.openafs.org/pipermail/openafs-info/2006-March/021789.html You may also be able to use ethereal, see http://www.ethereal.com/ a solaris 9 package might be here: http://www.sunfreeware.com/programlistintel9.html -Marcus Watts ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos