The default key encryption types for kadmin/admin in the KDC database are des-cbc-crc and des3-hmac-sha1. If the krb5.conf specifies a default_tgs_enctypes but does not include des3-hmac-sha1, kadmin will fail with the message: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The problem appears to be that kadmin when it makes a request for the kadmin/admin service ticket it asks for a ticket with the encryption type from the list: static krb5_enctype enctypes[] = { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC, 0, }; (See kadm5_init_with_password() => _kadm5_init_any in lib/kadm5/clnt/client_init.c) However when new_connection() is called to set up a gssapi rpc connection to the kadmind, the gss_init_sec_context() requests a ticket based upon the intersection of the static list of encryption types: static const krb5_enctype wanted_enctypes[] = { ENCTYPE_DES3_CBC_SHA1, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4, }; and what the krb5.conf file has defined as the default tgs encryption type. See get_requested_enctypes() in lib/gssapi/krb5/init_sec_context.c The problem is that the kadmin/admin service ticket will be DES3_CBC_SHA1, but the gss_init_sec_context will only look for whats set by default_tgs_enctypes. If 3des-cbc-sha1 is not set, kadmin will fail. The solution is to have _kadm5_init_any() do what gss_init_sec_context does in that, use the encryption types that are in both the desired list and what is defined by default_tgs_enctypes. I have modified lib/kadm5/clnt/client_init.c to include a modified get_requested_enctypes() obtained from init_sec_context.c which returns an encryption list which is the intersection between whats in a passed list and default_tgs_enctypes. Now you get a service ticket with an encrytion type that gss_init_sec_context will also ask for. Glenn