7

I'm having problems setting up Single Sign On on my Mac (Snow Leopard). My program was giving the error

accept_sec_context: Unspecified GSS failure. Minor code may provide more information: \
Key table entry not found (000d0000:96c73ab5)

When using the Mac built in library (/usr/lib/libgssapi_krb.dylib). It works fine with Likewise.

I'd set up an identity for myself in Ticket Viewer, and issued a ticket. I'm now trying to go through the set up process manually from the terminal. So far so good, up until I get to the Install the Slave KDCs step, where I can't start kadmin. I get the following output:

$ kadmin
Authenticating as principal me/admin@CORP.ORG with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

I added myself to the keytab using ktadd in kadmin.local, but this hasn't worked. I'm stumped as to how to progress from here.

Update

Running kadmin -p me prompts me for my password, but still rejects me with error:

kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface
Community
  • 1
fredley
  • 1,455
  • 1
  • 16
  • 25

1 Answers1

6

"Client not found in database" means the principal you used, me/admin, does not exist.

"Required KADM5 principal missing" means that your Kerberos database is missing principals for kadmin/fqdn.of.the.kdc@CORP.ORG as well as the legacy fallback kadmin/admin@CORP.ORG. Add them through kadmin.local.

"Missing keytab entry" usually refers to the service principal on the server's keytab (e.g. host/fqdn.of.my.server).

grawity
  • 1,716
  • 15
  • 19
  • I'm unable to use any of the principals which contain a /. I ensured the principal is indeed added using list_principals, but when doing kadmin I get: "Client not found in Kerberos database" Any intuition on what might be causing this? – Adeel Ahmad Sep 17 '19 at 09:40
  • Are you able to use the same principals with regular kinit? Did you specify the correct realm? – grawity Sep 17 '19 at 09:44
  • No, I'm not able to use principals containing a / with kinit either. Yes, I ensured that the realm provided is correct. – Adeel Ahmad Sep 17 '19 at 09:50
  • What information do you see in the KDC logs (usually in the server's syslog) when kinit fails? Can you "getprinc" that principal by name inside kadmin? Can you "getprinc" that principal by name inside kadmin.local directly on the KDC? – grawity Sep 17 '19 at 10:11
  • I have pasted the logs for kinit here, but they don't seem to contain anything interesting. I am able to get the principal using "getprinc" in kadmin.local. However, I can't use kadmin because it fails to find the admin user (for failing kadmin, the logs can be found here). – Adeel Ahmad Sep 17 '19 at 12:45
  • Those are the client logs, I'm more curious about KDC logs. Specifically, are you actually editing the same KDC database that you're trying to log in to? – grawity Sep 17 '19 at 13:10
  • I'm not getting any KDC logs on kinit, but I do get some logs when I do krb5kdc, which are available here. I don't know how to verify if it's the same KDC database, but I can confirm if I add a user e.g. "User" I am able to do kinit, but if I add a user "User/Admin", kinit fails. This should confirm that it's the same database. – Adeel Ahmad Sep 17 '19 at 15:04
  • If you're not getting any KDC logs, then it really sounds very much like your kinit or kadmin are connecting to a completely different KDC than kadmin.local does... – grawity Sep 17 '19 at 15:05
  • This answer has been marked as correct, but reading the comments, it does not seem to be fixed. I have a similar problem running kadmin -p user@domain list_principals. @fredley, can you tell us what you did ? – Itération 122442 Jul 27 '20 at 08:24