Hi guys,
This problem has taken me the whole Sunday and the only thing I've got left before start kicking my computer equipment is to ask you guys for help.

I have a problem on my client side of Kerberos. Basically, none of my clients is able to make a connection to kadmin using DNS SRV-records. Only if I use the relevant directives in the krb5.conf files - it works.

The Kerberos-related part of my DNS zone looks like this:

As far as I can see there is no misconfiguration and the Bind doesn't complain either.


If I configure the basic krb5.conf file on one of my clients, containing only:
I was hoping that the client would look for KDC via DNS. And initally, when I try to login as a user principal, it appears to be working.
When writing the command:

kinit mhead/admin

It finds the KDC server. After typing in the password, after the successful authentication, I write:

kadmin

and get the following error:
What parameters? [libdefaults] is the only required parameter by Kerberos for a minimal configuration, and the Kerberos libraries would automatically use the DNS for lookup of the KDC / adm server etc.

If I add the [realm] stanza in the krb5.conf file containing
Then everything is works, I'm able to access administration server with no problems whatsoever.

The same problem happens on both virtual machines that I'm using as clients - a Debian and a CentOS, so it's not 'one-machine-problem-only'.

Something is weird regarding the adm server. I mean, without [realms] stanza, the client does query the DNS properly for the KDC master - it can be tracked in the DNS logs and I mean, even logically - with no [realms] stanza - there is no other place than DNS where it can find this information. So, the actual authentication of the principal works. It's the kadmin-part that exits with the error message above.

According to all manuals, books, guides I've read - this shouldn't be happening. The [libdefaults] with default_realm defined in krb5.conf in combination with proper DNS records, should be everything kerberos client needs. But apparently not.

I don't remember having any problems like this before. This is the first time in several months a freshly install a KDC. I believe Kerberos packages did get updated few times since then. Could this be a bug of some kind introduced in never version of libs? I have the latest packages on centos 5.3.

Thanks in advance.

Heh. Now, after looking more closely the documentation @ MIT website, it actually appears that this is "normal" behaviour of the MIT Kerberos.

Bummer...
Perhaps I'll switch to Heimdall instead. I got confirmation of a friend of mine that this already is implemented in that distribution.

1 members found this post helpful.

bash-4.1# kadmin -p root/admin
Authenticating as principal root/admin with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

here is krb5.conf file
bash-4.1# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TESTER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realm]

TESTER.COM = {
kdc = yog.com:88
admin_server = yog.com:749
}

[domain_realm]
.in.com = TESTER.COM
in.com = TESTER.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb5_convert = false
}




i am getting error.please help