ktadmin error - anyone know the cause?

Question

Level 1

0 points

ktadmin error - anyone know the cause?

I'm working on supporting Open Directory Kerberos authentication from a Java application. As a part of kerberizing the service the service principal has to be added to Open Directory and a keytab file needs to be exported, using kadmin.

I'm perplexed by the following error on one Open Directory / Mac OS X Server instance I have running, when I try to run sudo kadmin:

"kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface."

This is a fairly new (and mostly unused) server and there is no /etc/krb5.conf file at all. In earlier testing on a different Leopard server machine, these commands worked; I checked and the machine where it works also doesn't have an /etc/krb5.conf file by default. I didn't find any differences in Open Directory settings apart from the

Why might this error occur on one Leopard Server and not another?

Mac Pro, Mac OS X (10.5.6)

Posted on Mar 20, 2009 5:42 PM

Reply

Answer 1

Mar 20, 2009 5:48 PM in response to chriscorbell

You say that you do not see any differences in the OD setup. But, are they both Open Directory Masters or is on master the second replica. Or, more likely, if you look on the Overview tab of the OD server, what is the status of Kerberos? My guess is that it is not running. And if you check DNS, it is not set up properly for this machine. That is my gut reaction based on your information.

Hope this helps.

Reply

Answer 2

Mar 21, 2009 2:23 AM in response to chriscorbell

Hi

Perhaps you're using the wrong command? AFAIK kadmin should be used when working remotely. You don't say where you are in relation to the server? If sitting at the server you should be using kadmin.local. For example if I issue:

sudo kadmin.local

I get:

Authenticating as principal root/admin@LKDC:SHA1.EB237F611F07B2E8A636804052E8F7252BBA978F with password

If I issue:

sudo kadmin

I get:

Authenticating as principal root/admin@ANOTHERSERVER.DOMAIN.TLD with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

A vital difference. Issuing:

sudo kadmin.local -q list_prinicpals

show show successfully kerberized users, services & hosts. Changing it to kadmin -q list_principals shows nothing except the error message. The above examples are for a client machine.

Strontium90 as ever makes some good points. Correct DNS is the foundation for a fully working Kerberos Realm/World. Get that bit right and everything else should follow.

Tony

Reply

Answer 3

chriscorbell Author

Level 1

0 points

Mar 23, 2009 10:57 AM in response to Strontium90

Yes kerberos is running on both and both are master.

Reply

Answer 4

chriscorbell Author

Level 1

0 points

Mar 23, 2009 11:10 AM in response to Antonio Rocco

Thanks, this was indeed the problem, so in writing up instructions I'll explicitly say use kadmin.local.

For curiosity I'm still interested in the root cause; there must still be some difference between the two servers because kadmin works on one while kadmin.local is required on the other.

A long shot - could SMB and acting as a Windows PDC have anything to do with it? That's the only difference I could find - the second server (the one that forces me to use kadmin.local) has SMB running and is a Windows PDC (though no Windows clients are actually bound to it currently).

There are examples in the 10.5 Server Command Line Administration guide of using kadmin (not kadmin.local) on the KDC machine. From page 264:

To kerberize a service (from a terminal *+running on that host+*):
1 To create the service principal, use kadmin.
$ sudo kadmin -p admin_principal -q “addprinc -randkey service-principal”
2 Import the principal key into the keytab file.
$ sudo kadmin -p admin_principal -q “ktadd service-principal”
3 Configure the service to use the new principal.
This step is service-specific. For information about how to perform this step, see the service documentation.

The man page says "the difference is that kadmin.local runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database." I don't read this as indicating that kadmin shouldn't work on the KDC host.

The particular warning about a krb5.conf file indicates to me that the problem isn't in using kadmin but in some subtle configuration difference. Perhaps there's a setting somewhere to control whether or not kadmin is enabled and/or itself capable for kerberos authentication? As mentioned, neither server has an /etc/krb5.conf file.

(FWIW I installed and set up the server that works with kadmin, while IT set up the one that requires kadmin.local - no word from them on anything they did differently, apart from the SMB service and PDC status).

Reply

Answer 5

Mar 23, 2009 12:05 PM in response to chriscorbell

Hi

+could SMB and acting as a Windows PDC have anything to do with it?+

I doubt it although you never know? In my experience I would say no. Purely OD environments that I've been involved in would not necessarily have the service running. Neither would any of the AD-OD integrations sites I've dealt with.

In 10.4 kadmin was used to create the kdc.conf file remotely whilst kadmin.local was at the server itself AFAIK. Having had no problems using the GUI in 10.5 I can't say whether these command line utilities have changed? I don't see why they should? You could check out kdcsetup, sso_util, kerberosautoconfig, slapconfig, krbservicesetup. Interestingly using kadmin and/or kadmin.local brings kadmind into play which in addition has its manual page.

I understand what you're saying regarding the manual but to me "running on that host" could equally mean a remote terminal session? This is not intended to be definitive but having attended the relevant 10.4 & 10.5 Server Courses its always been kadmin remote, kadmin.local local.

Tony

Reply