Cannot initialize GSS-API authentication, failing.

[Jeff Blaine]

This doesn't look too promising.  Any help, again, would
be greatly appreciated.

Solaris 10 6/06 release.  Setting up a master KDC from scratch.

====================================================================
See further down for spammy kadmin.local set up output that
was generated seconds before the following:

bash-3.00# svcadm enable -r network/security/krb5kdc
bash-3.00# svcs -l krb5kdc
fmri         svc:/network/security/krb5kdc:default
name         Kerberos key distribution center
enabled      true
state        online       <-------------- good
next_state   none
state_time   Wed Jan 24 21:29:00 2007
logfile      /var/svc/log/network-security-krb5kdc:default.log
restarter    svc:/system/svc/restarter:default
contract_id  100
dependency   require_all/error svc:/network/dns/client (online)
bash-3.00# svcadm enable -r network/security/kadmin
bash-3.00# svcs -l kadmin
fmri         svc:/network/security/kadmin:default
name         Kerberos administration daemon
enabled      true
state        maintenance   <-------------- bad
next_state   none
state_time   Wed Jan 24 21:29:19 2007
logfile      /var/svc/log/network-security-kadmin:default.log
restarter    svc:/system/svc/restarter:default
contract_id
dependency   require_all/error svc:/network/dns/client (online)
bash-3.00#
====================================================================
bash-3.00# /usr/sbin/kadmin -p jblaine/admin
Authenticating as principal jblaine/[EMAIL PROTECTED] with password.
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
====================================================================
bash-3.00# kinit -p jblaine/admin
Password for jblaine/[EMAIL PROTECTED]:
bash-3.00# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jblaine/[EMAIL PROTECTED]

Valid starting                Expires                Service principal
01/24/07 21:29:58  01/25/07 21:29:58  krbtgt/[EMAIL PROTECTED]
         renew until 01/31/07 21:29:58
bash-3.00#
====================================================================
/var/adm/kadmin.log has this useful message repeating:

Jan 24 21:29:18 mega1.mitre.org kadmind[1125](Error): Cannot initialize 
GSS-API authentication, failing.
====================================================================
For what it's worth, here are the set up commands I entered
seconds BEFORE what you see in the screen pastes that start
this email:

bash-3.00# kadmin.local
Authenticating as principal root/[EMAIL PROTECTED] with password.
kadmin.local:  addprinc jblaine/admin
WARNING: no policy specified for jblaine/[EMAIL PROTECTED]; defaulting to no 
policy
Enter password for principal "jblaine/[EMAIL PROTECTED]":
Re-enter password for principal "jblaine/[EMAIL PROTECTED]":
Principal "jblaine/[EMAIL PROTECTED]" created.
kadmin.local:  addprinc -randkey kiprop/mega1.mitre.org
WARNING: no policy specified for kiprop/[EMAIL PROTECTED]; 
defaulting to no policy
Principal "kiprop/[EMAIL PROTECTED]" created.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kadmin/mega1.mitre.org
Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
Triple DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/mega1.mitre.org with kvno 3, encryption type 
DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab changepw/mega1.mitre.org
Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
type Triple DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/mega1.mitre.org with kvno 3, encryption 
type DES cbc mode with RSA-MD5 added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 
CTS mode with 96-bit SHA-1 HMAC added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple 
DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour 
with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc 
mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kiprop/mega1.mitre.org
Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
Triple DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/mega1.mitre.org with kvno 3, encryption type 
DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  quit
bash-3.00#
====================================================================
I am following this document.  Yeah, it's Solaris Kerberos.  But
it's MIT Kerberos too.

http://docs.sun.com/app/docs/doc/816-4557/6maosrjl2?a=view
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos