Unable to Login to kadmin from Kerberos Client

linux authentication kerberos mitkerberos

15,447

I figured it out - well, first of all, of all, it turns out that running kadmin was not the right way to test kerberos. Instead, I installed the kerberized server utilis at the KDC and then tested krsh with:

/usr/kerberos/bin/krsh -x -PN kerberos.monzell.com

As for kadmin, the error I was getting was because I need to open port 749 at the KDC:

iptables -I INPUT -s 192.168.15.0/24 -m tcp -p tcp --dport 749 -j ACCEPT

That resolved the issue and allow me to administer the KDC from the client box.

[root@localhost ~]# kadmin -p rilindo/[email protected]
Authenticating as principal rilindo/[email protected] with password.
Password for rilindo/[email protected]: 
kadmin:  listprincs
K/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
rilindo/[email protected]
[email protected]

15,447

Rilindo

I like clouds, I like automation, I like to automate clouds and secure them.

Updated on September 18, 2022

Comments

Rilindo over 1 year

I have a small problem of getting my client to authenticate to a kerberos server that I just setup. Whenever I run:

[root@localhost log]# kadmin -r KERBEROS.MONZELL.COM -p host/kerberos.monzell.com
Authenticating as principal host/kerberos.monzell.com with password.

I get the following message:

Password for host/[email protected]: 
kadmin: Communication failure with server while initializing kadmin interface

On the server side, I see the following:

Sep 12 23:19:47 sl6 krb5kdc[6349](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.15.31: SERVER_NOT_FOUND: host/[email protected] for kadmin/[email protected], Server not found in Kerberos database

Although it seems to be doing else afterwards:

Sep 12 23:19:47 sl6 krb5kdc[6349](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.15.31: ISSUE: authtime 1315883987, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for kadmin/[email protected]
Sep 12 23:24:14 sl6 krb5kdc[6349](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.15.31: ISSUE: authtime 1315884254, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for kadmin/[email protected]

I tried to a few principals to get it working:

kadmin.local:  listprincs
K/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
[email protected]
krbtgt/[email protected]
[email protected]
root/[email protected]

As well as adding the hostnames for the real and client on both the client's hosts file as well as the server hosts file (client is kvm0001.monzell.com, while the kerberos server is kerberos.monzell.com). So far, no success.

What direction should I go from here?

Both client and server are running Scientific Linux 6, BTW, the client being a KVM instance running on top of the server.

Let me add that yes, there is an option to enable Kerberos Authentication within the authconfig utility. However, it is my first time setting up a Kerberos server, so I don't know if it would actually work. Which is why I am going through this particular exercise.