scotty adams <[EMAIL PROTECTED]> writes:
> Hi,
>
> This is what i am getting after all
>
> bash-2.05# kadmin scotty
> Enter Password:
> Enter Password:
> kadmin: Preauthentication failed while initializing kadmin interface
>
> kdc.log shows:
>
> Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88):
> PREAUTH_FAILED: scotty/[EMAIL PROTECTED] for kadmin/[EMAIL PROTECTED],
> Preauthentication failed
>
> Any help on this ... appreciated
>
> Thanks,
> scotty
>
> scotty adams <[EMAIL PROTECTED]> wrote: I tried the following:
>
> bash-2.05# kadmin -p kadmin/scottie.beirut.navlink.com
> Enter Password:
> kadmin: Incorrect password while initializing kadmin interface
>
> even the password that i used is surely correct!!!
>
> Please point me out to these two errors.
>
> Regards,
> Scotty
"Preauthentication failed" probably doesn't mean your password
is incorrect. At least, in my test environment, I get
"Incorrect password" if I botch the password with preauth turned on.
The first thing I would look at with that is to see if
time is sync'd up. The 2nd thing I'd try is to see if it works
if REQUIRES_PRE_AUTH is turned off on the principal.
When you're getting messages like these--"preauth failed" or "bad pw",
that's not a kadm5 problem, that's a krb5 problem. You can separate
out and simplify your problem by trying kinit and kvno first.
When you get those to work, then you can fool around with kadmin.
For these experiments, you may need to set password or examine
what's in the kdb. On your kdc, as root, run
kadmin.local
then you can do things like
getprinc
listprincs
cpw
xst
etc. Use all but the last liberally. Use the last only when you
intend to replace a keytab that you are convinced is broken.
Below, see scotty.scottie.navlink.com . Use what you really
have - is that really your admin_server host?
If that is, you should probably have something like:
[libdefaults]
default_realm = SCOTTIE.COMPANY.COM
[realms]
SCOTTIE.COMPANY.COM = {
kdc = scotty.scottie.navlink.com:88
master_kdc = scotty.scottie.navlink.com:88
admin_server = scotty.scottie.navlink.com:749
}
[domain_realms]
.navlink.com = SCOTTIE.COMPANY.COM
in your krb5.conf file, plus at least a local dns environment
where a lookup of scotty.scottie.navlink.com goes to the right thing,
and a reverse arpa lookup of the ipaddress also points back
at the same name.
So, the commands you should get working are
(client machine):
ping -s scotty.scottie.navlink.com
^C
kinit [EMAIL PROTECTED]
kinit scotty/[EMAIL PROTECTED]
kvno kadmin/[EMAIL PROTECTED]
?? kvno kadmin/scottie.beirut.navlink.com@@SCOTTIE.COMPANY.COM
klist -fean
(on the kdc):
cd (wherever you keey kadm5.keytab, which might be named in kdc.conf):
klist -ket kadm5.keytab
kinit -kt kadm5.keytab kadmin/[EMAIL PROTECTED]
klist -fean
kadmin.local
getprinc kadmin/[EMAIL PROTECTED]
?? getprinc kadmin/[EMAIL PROTECTED]
getprinc [EMAIL PROTECTED]
getprinc scotty/[EMAIL PROTECTED]
the ping proves dns & network routing work; check the ip address.
the 1st 2 kinit's prove you can authenticate.
the kvno proves you can get a service ticket
The kdc kinit proves that you have a working keytab on that
machine. Note various etypes & kvno's in output: make sure they're
consistent.
If you can't get the kinit commands to work, you can look
at the actual network traffic to see what is really going on.
Check out
http://lists.openafs.org/pipermail/openafs-info/2006-March/021789.html
You may also be able to use ethereal, see http://www.ethereal.com/
a solaris 9 package might be here:
http://www.sunfreeware.com/programlistintel9.html
-Marcus Watts
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
