TransWikia.com

kadmin interface not working - immediately closes connection

Server Fault Asked by EricR on January 28, 2021

So far I’ve been doing most of the administration for kerberos with kadmin.local, however, I’m trying to migrate over to using the remote kadmin as it would be better practice and all.

What I’m seeing is this:

esr@cpt2:~$ kadmin -p 'esr/admin'
Authenticating as principal esr/admin with password.
Password for esr/[email protected]: 
esr@cpt2:~$

i.e.,login happens perfectly, but the connection is immediately closed.

On the server side:

Jan 08 12:51:02 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: NEEDED_PREAUTH: esr/[email protected] for kadmin/[email protected], Additional pre-authentication required
Jan 08 12:51:05 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: ISSUE: authtime 1389207065, etypes {rep=18 tkt=18 ses=18}, esr/[email protected] for kadmin/[email protected]

==> /var/log/krb5kdc/kadmin.log <==
Jan 08 12:51:05 00-kdc kadmind[9720](Error): TCP client X.X.X.X.41541 wants 2147484348 bytes, cap is 1048572
Jan 08 12:51:05 00-kdc kadmind[9720](info): closing down fd 333

the error wants 2147484348 bytes, cap is 1048572 immediately jumped out at me, but it’s proving incredibly tough to track down. I found http://krbdev.mit.edu/rt/Ticket/Display.html?id=3923 but that seems to have been resolved ages ago.

Additionally, I’m using

Package: krb5-admin-server
Version: 1.10+dfsg~beta1-2ubuntu0.3
Package: krb5-kdc
Version: 1.10+dfsg~beta1-2ubuntu0.3

Client connection trace:

esr$ KRB5_TRACE=/dev/stdout kadmin
Authenticating as principal esr/[email protected] with password.
[2913] 1389633823.366797: Initializing MEMORY:kadm5_0 with default princ esr/[email protected]
[2913] 1389633823.366900: Getting initial credentials for esr/[email protected]
[2913] 1389633823.367196: Setting initial creds service to kadmin/[email protected]
[2913] 1389633823.367314: Sending request (199 bytes) to DOMAIN.EDU
[2913] 1389633823.367417: Resolving hostname ldap-master.domain.edu
[2913] 1389633823.367562: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633823.371591: Received answer from dgram X.X.X.X:88
[2913] 1389633823.410550: Response was not from master KDC
[2913] 1389633823.410581: Received error from KDC: -1765328359/Additional pre-authentication required
[2913] 1389633823.410619: Processing preauth types: 136, 19, 2, 133
[2913] 1389633823.410636: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633823.410640: Received cookie: MIT
Password for esr/[email protected]:
[2913] 1389633826.379096: AS key obtained for encrypted timestamp: aes256-cts/4485
[2913] 1389633826.409058: Encrypted timestamp (for 1389633826.408987): plain <snip>
[2913] 1389633826.409100: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[2913] 1389633826.409105: Produced preauth for next request: 133, 2
[2913] 1389633826.409123: Sending request (294 bytes) to DOMAIN.EDU
[2913] 1389633826.409142: Resolving hostname ldap-master.domain.edu
[2913] 1389633826.409203: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633826.506049: Received answer from dgram X.X.X.X:88
[2913] 1389633826.550573: Response was not from master KDC
[2913] 1389633826.550610: Processing preauth types: 19
[2913] 1389633826.550618: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633826.550623: Produced preauth for next request: (empty)
[2913] 1389633826.550632: AS key determined by preauth: aes256-cts/4485
[2913] 1389633826.550688: Decrypted AS reply; session key is: aes256-cts/13A4
[2913] 1389633826.550706: FAST negotiation: available
[2913] 1389633826.550744: Initializing MEMORY:kadm5_0 with default princ esr/[email protected]
[2913] 1389633826.550753: Removing esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0
[2913] 1389633826.550760: Storing esr/[email protected] -> kadmin/[email protected] in MEMORY:kadm5_0
[2913] 1389633826.550770: Storing config in MEMORY:kadm5_0 for kadmin/[email protected]: fast_avail: yes
[2913] 1389633826.550780: Removing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin/[email protected]@X-CACHECONF: from MEMORY:kadm5_0
[2913] 1389633826.550787: Storing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin/[email protected]@X-CACHECONF: in MEMORY:kadm5_0
[2913] 1389633826.575550: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0
[2913] 1389633826.575589: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.575641: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 982754712, subkey aes256-cts/33D5, session key aes256-cts/13A4
[2913] 1389633826.578730: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0
[2913] 1389633826.578775: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.578816: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 799315236, subkey aes256-cts/E55C, session key aes256-cts/13A4

2 Answers

In my case a restart of the kadmin-service did the trick.

Right beforehand my kadmin did the exact same thing. All the other key-exchanging services worked fine. But I couldn't utilize kadmin (Errornumber $?=141), but never had problems using kadmin.local

Answered by vinterkind on January 28, 2021

First the login does not succeed. You will always be prompted for password regardless of whether the connection works or not. Second, kerberos error messages are at best hints and at worst completely misleading.

To me it looks like the kadmin client is requesting the wrong service principal. See

http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html

Most kerberos kadmin sites that I have worked with use kadmin/admin for the kadmind service principal. You need to check in the kadmind setup to see what service principal it is using.

Answered by Fred the Magic Wonder Dog on January 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP