Kerberos error while initializing kadmin interface from admin server
I've run into the same problem (same Debian and krb5-admin-server versions).
The same as you, it wasn't working when I ran kadmin from the kerberos admin server itself, which rules out time differences (I even installed NTP to make sure - it made no difference to the problem).
In my case the issue turned out to be that of entropy. Kadmin being very secure requires a lot of entropy to generate the session keys.
My setup (a test setup) is running on virtual machines. I would find that I couldn't kadmin at all, but after around half an hour kadmin would 'mysteriously' start working.
You can check the system entropy at:
/proc/sys/kernel/random/entropy_avail
To remedy the problem I made use of the host computer's entropy (/dev/random), and using rng-tools made this available to kadmin.
As an aside, for general kerberos troubleshooting you can look at:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/troubleshoot.html
Something such as the following will send trace logging to stdout allowing you to see what is going on in detail:
env KRB5_TRACE=/dev/stdout kadmin -p johndoe/[email protected]
Related videos on Youtube
04 : 19
21 : 55
05 : 11
22 : 51
12 : 09
02 : 32
47 : 46
08 : 12
jla
Updated on September 18, 2022Comments
-
jla almost 2 years
I updated my master key for my Kerberos 5 server following the MIT Kerberos 5 instructions. I restarted the kdc and kadmind services and used krb5-prop to push the changes to the other servers.
Now I am unable to connect with kadmin from any server, including the admin server:
$kadmin Authenticating as principal jacob/[email protected] with password. Password for jacob/[email protected]: kadmin: GSS-API (or Kerberos) error while initializing kadmin interfaceFrom my searching I've found that a common reason for this is time syncronization issues, but the machines are matching within a second and it fails even from the server running kadmind.
I'm not sure how to troubleshoot this. My version of kadmind doesn't have any kind of debug argument or verbose logging level that I've found. I've tried running it from the command line with -nofork and it's very quiet there.
The password is accepted. I can kinit as the target principle and if I type the password wrong it tells me.
kadmin: Incorrect password while initializing kadmin interfaceIf The kadmind service isn't running it also gives a different error.
kadmin: Communication failure with server while initializing kadmin interfaceI didn't test kadmin just before updating the master password, but I've used it recently and no other configuration changes have been made. I've tried checking my key version numbers (kvno) and they appear to be correct.
What else could be causing this? Where else can I check? How can I debug kadmind?
Debian 8, krb5-admin-server 1.12.1.
-
Admin almost 8 yearsThe issue is more often than not time synchronization. 'Within a second' is not good enough. Set up NTP. -
84104 almost 8 years@yoonix While NTP is definitely a good idea, "within a second" is usually good enough for mit Kerberos 5.clockskewdefaults to 300 seconds. -
84104 almost 8 years
admin_serveriskadmind, which is whatkadmininteracts with. web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/… -
Admin almost 8 yearsIn a business / professional environment, a system using Kerberos should have NTP or some other method keeping them in sync. While it may work with 300 seconds, not setting it up is an incomplete configuration in my opinion. There's no reason not to. Eyeballs (manual verification) should not be a source of time sync. Eyeballs miss little inconsistencies like time zones.
-
jla almost 8 yearsI cannot connect with kadmin from the admin server. I ssh to the server running kadmind, and try to run kadmin and get the same error. I expect no time drift between the kadmin client and the kadmind server running on the same system.
-
jla almost 8 yearsAt the time I could not connect with kadmin from the admin server. Now I can use kadmin from all locations where it wasn't working. I suspect the issue was a lack of entropy.
-
-
jla almost 8 yearsI believe this is the most likely explanation. I had just rekeyed the database and that probably used up all the entropy and the kadmin server is running in a kvm virtual machine. Trying this morning it 'mysteriously' works everywhere it wasn't working last week. It might explain why a couple of times kadmind took forever and even a SIGKILL to terminate it, probably blocked waiting for entropy. Too bad it isn't a little verbose into the logs about this.