Server Fault Asked by EricR on January 28, 2021
So far I’ve been doing most of the administration for kerberos with kadmin.local
, however, I’m trying to migrate over to using the remote kadmin
as it would be better practice and all.
What I’m seeing is this:
esr@cpt2:~$ kadmin -p 'esr/admin'
Authenticating as principal esr/admin with password.
Password for esr/[email protected]:
esr@cpt2:~$
i.e.,login happens perfectly, but the connection is immediately closed.
On the server side:
Jan 08 12:51:02 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: NEEDED_PREAUTH: esr/[email protected] for kadmin/[email protected], Additional pre-authentication required
Jan 08 12:51:05 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: ISSUE: authtime 1389207065, etypes {rep=18 tkt=18 ses=18}, esr/[email protected] for kadmin/[email protected]
==> /var/log/krb5kdc/kadmin.log <==
Jan 08 12:51:05 00-kdc kadmind[9720](Error): TCP client X.X.X.X.41541 wants 2147484348 bytes, cap is 1048572
Jan 08 12:51:05 00-kdc kadmind[9720](info): closing down fd 333
the error wants 2147484348 bytes, cap is 1048572
immediately jumped out at me, but it’s proving incredibly tough to track down. I found http://krbdev.mit.edu/rt/Ticket/Display.html?id=3923 but that seems to have been resolved ages ago.
Additionally, I’m using
Package: krb5-admin-server
Version: 1.10+dfsg~beta1-2ubuntu0.3
Package: krb5-kdc
Version: 1.10+dfsg~beta1-2ubuntu0.3
Client connection trace:
esr$ KRB5_TRACE=/dev/stdout kadmin
Authenticating as principal esr/[email protected] with password.
[2913] 1389633823.366797: Initializing MEMORY:kadm5_0 with default princ esr/[email protected]
[2913] 1389633823.366900: Getting initial credentials for esr/[email protected]
[2913] 1389633823.367196: Setting initial creds service to kadmin/[email protected]
[2913] 1389633823.367314: Sending request (199 bytes) to DOMAIN.EDU
[2913] 1389633823.367417: Resolving hostname ldap-master.domain.edu
[2913] 1389633823.367562: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633823.371591: Received answer from dgram X.X.X.X:88
[2913] 1389633823.410550: Response was not from master KDC
[2913] 1389633823.410581: Received error from KDC: -1765328359/Additional pre-authentication required
[2913] 1389633823.410619: Processing preauth types: 136, 19, 2, 133
[2913] 1389633823.410636: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633823.410640: Received cookie: MIT
Password for esr/[email protected]:
[2913] 1389633826.379096: AS key obtained for encrypted timestamp: aes256-cts/4485
[2913] 1389633826.409058: Encrypted timestamp (for 1389633826.408987): plain <snip>
[2913] 1389633826.409100: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[2913] 1389633826.409105: Produced preauth for next request: 133, 2
[2913] 1389633826.409123: Sending request (294 bytes) to DOMAIN.EDU
[2913] 1389633826.409142: Resolving hostname ldap-master.domain.edu
[2913] 1389633826.409203: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633826.506049: Received answer from dgram X.X.X.X:88
[2913] 1389633826.550573: Response was not from master KDC
[2913] 1389633826.550610: Processing preauth types: 19
[2913] 1389633826.550618: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633826.550623: Produced preauth for next request: (empty)
[2913] 1389633826.550632: AS key determined by preauth: aes256-cts/4485
[2913] 1389633826.550688: Decrypted AS reply; session key is: aes256-cts/13A4
[2913] 1389633826.550706: FAST negotiation: available
[2913] 1389633826.550744: Initializing MEMORY:kadm5_0 with default princ esr/[email protected]
[2913] 1389633826.550753: Removing esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0
[2913] 1389633826.550760: Storing esr/[email protected] -> kadmin/[email protected] in MEMORY:kadm5_0
[2913] 1389633826.550770: Storing config in MEMORY:kadm5_0 for kadmin/[email protected]: fast_avail: yes
[2913] 1389633826.550780: Removing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin/[email protected]@X-CACHECONF: from MEMORY:kadm5_0
[2913] 1389633826.550787: Storing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin/[email protected]@X-CACHECONF: in MEMORY:kadm5_0
[2913] 1389633826.575550: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0
[2913] 1389633826.575589: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.575641: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 982754712, subkey aes256-cts/33D5, session key aes256-cts/13A4
[2913] 1389633826.578730: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0
[2913] 1389633826.578775: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.578816: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 799315236, subkey aes256-cts/E55C, session key aes256-cts/13A4
In my case a restart of the kadmin-service did the trick.
Right beforehand my kadmin did the exact same thing. All the other key-exchanging services worked fine. But I couldn't utilize kadmin (Errornumber $?=141), but never had problems using kadmin.local
Answered by vinterkind on January 28, 2021
First the login does not succeed. You will always be prompted for password regardless of whether the connection works or not. Second, kerberos error messages are at best hints and at worst completely misleading.
To me it looks like the kadmin client is requesting the wrong service principal. See
http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html
Most kerberos kadmin sites that I have worked with use kadmin/admin for the kadmind service principal. You need to check in the kadmind setup to see what service principal it is using.
Answered by Fred the Magic Wonder Dog on January 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP