[23827] in Kerberos
MacOSX Tiger kadmin uses a non-standard service principal
daemon@ATHENA.MIT.EDU (Ben Poliakoff)
Thu May 5 17:13:44 2005
Date: Thu, 5 May 2005 14:05:46 -0700
From: Ben Poliakoff <benp@reed.edu>
To: kerberos@mit.edu
Message-ID: <20050505210546.GZ18361@tristero.reed.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu
Has anyone else noticed that the kadmin command on the recently released
Mac OS 10.4 (aka "Tiger") wants to use a "non-standard" kadmin service
principal?
On previous versions of OSX the kadmin command used the "standard"
service principal in the form "kadmin/admin@<REALM>" (just like MIT krb5
clients do).
On Tiger, kadmin is trying to find "kadmin/<FQDN>@<REALM>", which in my
KDC doesn't exist; kadmin then bails with this error:
kadmin: Database error! Required KADM5 principal missing while
initializing kadmin interface
On my KDC's log I see this:
May 05 12:00:00 kdchostname krb5kdc[225](info): AS_REQ (7 etypes\
{18 17 16 23 1 3 2}) x.x.x.x: SERVER_NOT_FOUND:\
username/admin@<REALM> for kadmin/<FQDN>@<REALM>,\
Server not found in Kerberos database
I may well have missed something; is a new "standard" emerging? MIT
krb5-1.4.1 doesn't seem to look for "kadmin/<FQDN>@<REALM>" (it happily
uses the same "kadmin/admin@<REALM>" format it always has).
Presumably if I create the principal "kadmin/<FQDN>@<REALM>" and add it
to my kadmind's keytab then kadmin on my Tiger machines will work. But
it's rather annoying to be "blackmailed" into making a modification like
this on one's KDC.
So, has anyone else seen this behavior? If so, I'd be interested in some
discussion about the best course of action.
Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos