[23827] in Kerberos

home help back first fref pref prev next nref lref last post

MacOSX Tiger kadmin uses a non-standard service principal

daemon@ATHENA.MIT.EDU (Ben Poliakoff)
Thu May 5 17:13:44 2005

Date: Thu, 5 May 2005 14:05:46 -0700
From: Ben Poliakoff <benp@reed.edu>
To: kerberos@mit.edu
Message-ID: <20050505210546.GZ18361@tristero.reed.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu

Has anyone else noticed that the kadmin command on the recently released
Mac OS 10.4 (aka "Tiger") wants to use a "non-standard" kadmin service
principal?

On previous versions of OSX the kadmin command used the "standard"
service principal in the form "kadmin/admin@<REALM>" (just like MIT krb5
clients do).

On Tiger, kadmin is trying to find "kadmin/<FQDN>@<REALM>", which in my
KDC doesn't exist; kadmin then bails with this error:

    kadmin: Database error! Required KADM5 principal missing while
    initializing kadmin interface

On my KDC's log I see this:

    May 05 12:00:00 kdchostname krb5kdc[225](info): AS_REQ (7 etypes\
      {18 17 16 23 1 3 2}) x.x.x.x: SERVER_NOT_FOUND:\
      username/admin@<REALM> for kadmin/<FQDN>@<REALM>,\
      Server not found in Kerberos database

I may well have missed something; is a new "standard" emerging?  MIT
krb5-1.4.1 doesn't seem to look for "kadmin/<FQDN>@<REALM>" (it happily
uses the same "kadmin/admin@<REALM>" format it always has). 

Presumably if I create the principal "kadmin/<FQDN>@<REALM>" and add it
to my kadmind's keytab then kadmin on my Tiger machines will work.  But
it's rather annoying to be "blackmailed" into making a modification like
this on one's KDC.

So, has anyone else seen this behavior?  If so, I'd be interested in some
discussion about the best course of action.

Ben
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post