From daemon@netmediatech.com  Mon Nov 18 12:37:23 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA10636 for <bugs@RT-11.MIT.EDU>; Mon, 18 Nov 1996 12:37:22 -0500
Received: from netmediatech.com by MIT.EDU with SMTP
	id AA07024; Mon, 18 Nov 96 12:37:20 EST
Received: from net ([207.34.208.137]) by media.netmediatech.com with SMTP id <38918-137>; Mon, 18 Nov 1996 12:37:39 -0500
Message-Id: <32909ED2.69D8@netmediatech.com>
Date: Mon, 18 Nov 1996 12:37:22 -0500
From: Peter Ziobrzynski <pzi@netmediatech.com>
Sender: daemon <daemon@netmediatech.com>
To: unlisted-recipients:;;@netmediatech.com (no To-header on input)
Cc: krb5-bugs@MIT.EDU
Subject: Re: error while initializing kadmin interface

>Number:         202
>Category:       pending
>Synopsis:       Re: error while initializing kadmin interface
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bjaspan
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Mon Nov 18 12:38:01 EST 1996
>Last-Modified:  Tue Nov 19 17:15:01 EST 1996
>Originator:     
>Organization:
>Release:        
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-feedback
State-Changed-By: bjaspan
State-Changed-When: Mon Nov 18 13:40:56 1996
State-Changed-Why:

I do not think this is a bug.

Responsible-Changed-From-To: gnats-admin->bjaspan
Responsible-Changed-By: bjaspan
Responsible-Changed-When: Mon Nov 18 13:41:35 1996
Responsible-Changed-Why:



From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: pzi@netmediatech.com
Cc: unlisted-recipients:;;;@netmediatech.com;, krb5-bugs@MIT.EDU
Subject: Re: pending/202: Re: error while initializing kadmin interface
Date: Mon, 18 Nov 1996 13:40:48 -0500

 Peter,
 
 I am not convinced you are having the problem you think you are
 having.  The initial message in this thread was from a person who was
 getting "Key table entry not found" GSS-API errors from kadmind and
 "GSS-API error communicating with kadmind" errors from kadmin.  You
 are getting "Communication failure with server" from kadmin and *no*
 messages from kadmind.  This leads me to think your kadmind isn't
 running, not that it has the wrong entries in its keytab.
 
    My 'kinit' and 'klist' for users work fine - only 'kadmin' fails:
 
     % kadmin
     Enter password:
     kadmin: Communication failure with server while initializing kadmin
 	interface
 
    The syslog messages that follow every KDC transaction are like that:
 
     Nov 18 12:25:36 tech syslog: AS_REQ 207.34.208.139(88):
       ISSUE: authtime   848337936, pzi/admin@NETMEDIATECH.COM for 
       kadmin/admin@NETMEDIATECH.COM
 
 Is kadmind running (check with ps)?  Run it, and check the syslog
 output; it should log "starting" when it starts, or some other error
 message.
 
 Barry

From: Peter Ziobrzynski <pzi@netmediatech.com>
To: Barry Jaspan <bjaspan@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, kerberos@MIT.EDU
Subject: Re: pending/202: Re: error while initializing kadmin interface
Date: Mon, 18 Nov 1996 14:19:50 -0500

 Barry Jaspan wrote:
 > 
 > Peter,
 > 
 > I am not convinced you are having the problem you think you are
 > having.  The initial message in this thread was from a person who was
 > getting "Key table entry not found" GSS-API errors from kadmind and
 > "GSS-API error communicating with kadmind" errors from kadmin.  You
 > are getting "Communication failure with server" from kadmin and *no*
 > messages from kadmind.  This leads me to think your kadmind isn't
 > running, not that it has the wrong entries in its keytab.
 > 
 >    My 'kinit' and 'klist' for users work fine - only 'kadmin' fails:
 > 
 >     % kadmin
 >     Enter password:
 >     kadmin: Communication failure with server while initializing kadmin
 >         interface
 > 
 >    The syslog messages that follow every KDC transaction are like that:
 > 
 >     Nov 18 12:25:36 tech syslog: AS_REQ 207.34.208.139(88):
 >       ISSUE: authtime   848337936, pzi/admin@NETMEDIATECH.COM for
 >       kadmin/admin@NETMEDIATECH.COM
 > 
 > Is kadmind running (check with ps)?  Run it, and check the syslog
 > output; it should log "starting" when it starts, or some other error
 > message.
 > 
 > Barry
 
 Barry,
 
 Many thanks for your advice/analysis/direction. It pointed me to the
 solution rigth away.
 I checked the process table - kadmind was there.
 Then checked listening sockets for kerberos ports:
 
  % netstat -a | grep kerb
  udp        0      0 *:kerberos-sec         *:*                    
  udp        0      0 *:kerberos             *:*                    
 
 Only the KDC ports were there. I checked the kdc.conf which I copied
 from the sample src/config-files directory of beta7 and found:
 
   kadmind_port = 3761
 
 Changed it to 749 and all works now.
 
 thanks again
 
 To krb5-bugs: I would remove the port 3761 from the sample configuration
 files in src/config-files/kdc.conf.
 
 --  
 Peter Ziobrzynski, netMedia Technology Inc. <pzi@netmediatech.com>
 204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6
 tel.(416) 596-8520x242, fax.(416) 596-8610

State-Changed-From-To: feedback-closed
State-Changed-By: bjaspan
State-Changed-When: Mon Nov 18 14:27:43 1996
State-Changed-Why:

Peter,

I'm glad you found the problem.  That (incorrect) entry from the
default kdc.conf has already been removed from the development
sources, so the problem will not exist in 1.0.

Barry


From: Peter Ziobrzynski <pzi@netmediatech.com>
To: Barry Jaspan <bjaspan@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, kerberos@MIT.EDU
Subject: Re: pending/202: Re: error while initializing kadmin interface
Date: Mon, 18 Nov 1996 14:19:50 -0500

 Barry Jaspan wrote:
 > 
 > Peter,
 > 
 > I am not convinced you are having the problem you think you are
 > having.  The initial message in this thread was from a person who was
 > getting "Key table entry not found" GSS-API errors from kadmind and
 > "GSS-API error communicating with kadmind" errors from kadmin.  You
 > are getting "Communication failure with server" from kadmin and *no*
 > messages from kadmind.  This leads me to think your kadmind isn't
 > running, not that it has the wrong entries in its keytab.
 > 
 >    My 'kinit' and 'klist' for users work fine - only 'kadmin' fails:
 > 
 >     % kadmin
 >     Enter password:
 >     kadmin: Communication failure with server while initializing kadmin
 >         interface
 > 
 >    The syslog messages that follow every KDC transaction are like that:
 > 
 >     Nov 18 12:25:36 tech syslog: AS_REQ 207.34.208.139(88):
 >       ISSUE: authtime   848337936, pzi/admin@NETMEDIATECH.COM for
 >       kadmin/admin@NETMEDIATECH.COM
 > 
 > Is kadmind running (check with ps)?  Run it, and check the syslog
 > output; it should log "starting" when it starts, or some other error
 > message.
 > 
 > Barry
 
 Barry,
 
 Many thanks for your advice/analysis/direction. It pointed me to the
 solution rigth away.
 I checked the process table - kadmind was there.
 Then checked listening sockets for kerberos ports:
 
  % netstat -a | grep kerb
  udp        0      0 *:kerberos-sec         *:*                    
  udp        0      0 *:kerberos             *:*                    
 
 Only the KDC ports were there. I checked the kdc.conf which I copied
 from the sample src/config-files directory of beta7 and found:
 
   kadmind_port = 3761
 
 Changed it to 749 and all works now.
 
 thanks again
 
 To krb5-bugs: I would remove the port 3761 from the sample configuration
 files in src/config-files/kdc.conf.
 
 --  
 Peter Ziobrzynski, netMedia Technology Inc. <pzi@netmediatech.com>
 204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6
 tel.(416) 596-8520x242, fax.(416) 596-8610

From: Peter Ziobrzynski <pzi@netmediatech.com>
To: Barry Jaspan <bjaspan@MIT.EDU>
Cc: krb5-bugs@MIT.EDU, kerberos@MIT.EDU
Subject: Re: pending/202: Re: error while initializing kadmin interface
Date: Mon, 18 Nov 1996 14:19:50 -0500

 Barry Jaspan wrote:
 > 
 > Peter,
 > 
 > I am not convinced you are having the problem you think you are
 > having.  The initial message in this thread was from a person who was
 > getting "Key table entry not found" GSS-API errors from kadmind and
 > "GSS-API error communicating with kadmind" errors from kadmin.  You
 > are getting "Communication failure with server" from kadmin and *no*
 > messages from kadmind.  This leads me to think your kadmind isn't
 > running, not that it has the wrong entries in its keytab.
 > 
 >    My 'kinit' and 'klist' for users work fine - only 'kadmin' fails:
 > 
 >     % kadmin
 >     Enter password:
 >     kadmin: Communication failure with server while initializing kadmin
 >         interface
 > 
 >    The syslog messages that follow every KDC transaction are like that:
 > 
 >     Nov 18 12:25:36 tech syslog: AS_REQ 207.34.208.139(88):
 >       ISSUE: authtime   848337936, pzi/admin@NETMEDIATECH.COM for
 >       kadmin/admin@NETMEDIATECH.COM
 > 
 > Is kadmind running (check with ps)?  Run it, and check the syslog
 > output; it should log "starting" when it starts, or some other error
 > message.
 > 
 > Barry
 
 Barry,
 
 Many thanks for your advice/analysis/direction. It pointed me to the
 solution rigth away.
 I checked the process table - kadmind was there.
 Then checked listening sockets for kerberos ports:
 
  % netstat -a | grep kerb
  udp        0      0 *:kerberos-sec         *:*                    
  udp        0      0 *:kerberos             *:*                    
 
 Only the KDC ports were there. I checked the kdc.conf which I copied
 from the sample src/config-files directory of beta7 and found:
 
   kadmind_port = 3761
 
 Changed it to 749 and all works now.
 
 thanks again
 
 To krb5-bugs: I would remove the port 3761 from the sample configuration
 files in src/config-files/kdc.conf.
 
 --  
 Peter Ziobrzynski, netMedia Technology Inc. <pzi@netmediatech.com>
 204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6
 tel.(416) 596-8520x242, fax.(416) 596-8610
>Unformatted:
Barry Jaspan wrote:
> 
>    # ls -l /usr/local/lib/krb5kdc/kadm5.keytab
>    -rw-------   1 root     other        119 Nov  1 10:41 /usr/local/lib/krb5kdc/kadm5.keytab
> 
>    It appears that I have everything I need to run kadmin, but I keep
>    getting the GSS-API error. Have I overlooked something?
> 
> Check the key version number of kadmin/admin and kadmin/changepw in
> the keytab and in the database (use klist -k for the keytab, and
> get_principal in kadmin for the database).  If they don't match,
> that's the problem.  Fix it by re-extracting the keytab with kadmin's
> ktadd.
> 
> Hmmm.  Perhaps there should be a separate error code for "No key table
> entry with matching key version number found" to identify this error
> more precisely...
> 
> Barry

I have very similar problem (Linux). I followed your advice on checking 
the KVNO in keytab file and the database - all the same:

 % klist -k /usr/local/kerberos/lib/krb5kdc/kadm5.keytab
 KVNO Principal
 ---- ---------------------------------------------------------------
   7 kadmin/admin@NETMEDIATECH.COM
   6 kadmin/changepw@NETMEDIATECH.COM

 % kadmin.local
 kadmin.local:  getprinc kadmin/admin
 <...>
 Key: vno 7, DES cbc mode with CRC-32, no salt
 <...>
 kadmin.local:  getprinc kadmin/changepw
 <...>
 Key: vno 6, DES cbc mode with CRC-32, no salt
 <...>

My 'kinit' and 'klist' for users work fine - only 'kadmin' fails:

 % kadmin
 Enter password:
 kadmin: Communication failure with server while initializing kadmin
     interface

The syslog messages that follow every KDC transaction are like that:

 Nov 18 12:25:36 tech syslog: AS_REQ 207.34.208.139(88):
   ISSUE: authtime   848337936, pzi/admin@NETMEDIATECH.COM for 
   kadmin/admin@NETMEDIATECH.COM
 
Any ideas?
cheers - Peter
-- 
Peter Ziobrzynski, netMedia Technology Inc. <pzi@netmediatech.com>
204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6
tel.(416) 596-8520x242, fax.(416) 596-8610