Kerberos error while initializing kadmin interface from admin server

Question

I updated my master key for my Kerberos 5 server following the MIT Kerberos 5 instructions. I restarted the kdc and kadmind services and used krb5-prop to push the changes to the other servers.

Now I am unable to connect with kadmin from any server, including the admin server:

$kadmin
Authenticating as principal jacob/admin@THE.REALM with password.
Password for jacob/admin@THE.REALM:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

From my searching I've found that a common reason for this is time syncronization issues, but the machines are matching within a second and it fails even from the server running kadmind.

I'm not sure how to troubleshoot this. My version of kadmind doesn't have any kind of debug argument or verbose logging level that I've found. I've tried running it from the command line with -nofork and it's very quiet there.

The password is accepted. I can kinit as the target principle and if I type the password wrong it tells me.

kadmin: Incorrect password while initializing kadmin interface

If The kadmind service isn't running it also gives a different error.

kadmin: Communication failure with server while initializing kadmin interface

I didn't test kadmin just before updating the master password, but I've used it recently and no other configuration changes have been made. I've tried checking my key version numbers (kvno) and they appear to be correct.

What else could be causing this? Where else can I check? How can I debug kadmind?

Debian 8, krb5-admin-server 1.12.1.

Answer 1

I've run into the same problem (same Debian and krb5-admin-server versions).

The same as you, it wasn't working when I ran kadmin from the kerberos admin server itself, which rules out time differences (I even installed NTP to make sure - it made no difference to the problem).

In my case the issue turned out to be that of entropy. Kadmin being very secure requires a lot of entropy to generate the session keys.

My setup (a test setup) is running on virtual machines. I would find that I couldn't kadmin at all, but after around half an hour kadmin would 'mysteriously' start working.

You can check the system entropy at:

/proc/sys/kernel/random/entropy_avail

To remedy the problem I made use of the host computer's entropy (/dev/random), and using rng-tools made this available to kadmin.

As an aside, for general kerberos troubleshooting you can look at:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/troubleshoot.html

Something such as the following will send trace logging to stdout allowing you to see what is going on in detail:

env KRB5_TRACE=/dev/stdout kadmin -p johndoe/admin@KRB.TEST.NET

Answer 2

Check that you have opened kdc ports on the server (749 by default, both tcp and udp) and that the client can connect to it. This was the problem for me that resulted in kadmin: Communication failure with server while initializing kadmin interface error.

Answer 3

I encountered this error after upgrading from krb5 1.17 to 1.18, and for me the answer ended up being that I needed to comment out supported_enctypes in my kdc.conf, per: https://forum.ubuntuusers.de/topic/krb5-admin-server-startet-nicht-mehr/#post-9160670 (German).

I think this is related to removing single-DES in krb5 1.18. My config that came from previous default settings and had been working for 1.17 was:

supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3

https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html

I'm betting I probably could've just removed the single-DES entries from that list, but in this case it's probably better to just use the newer defaults that use stronger AES crypto.

So in certain cases this error can actually mean excess kdc.conf parameters instead of missing parameters. It would be great if it could tell you which parameters are problematic instead of making you guess.