kadmind error - krb5_recvauth: start_seq_get is not supported in the HDBGET keytab type
I'm trying to migrate a heimdal KDC with an OpenLDAP backend from a Debian 5.x server (heimdal 1.2.dfsg.1-2.1) to a Ubuntu 14.04 server (heimdal 1.6~git20131207
Some kerberos functionality works fine -- I can run kinit, get a ticket and use GSSAPI authentication with sshd successfully. I can even use kadmin with the -l option successfully. However, when I leave out the -l option and try to talk to kadmind, I get errors. For example, if I export the kadmin/admin keytab to the file /tmp/kadmin.keytab and run:
kadmin -p kadmin/admin -K /tmp/kadmin.keytab get kadmin/admin
I get the error:
kadmind[38823]: krb5_recvauth: start_seq_get is not supported in the HDBGET keytab type
This exact same command, with the exact same kadmin.keytab file, works just fine on the debian 5.x system.
The situation in which I get the above error is where I've either copied the /var/lib/
kadmind[38853]: krb5_recvauth: Decrypt integrity check failed for checksum type hmac-sha1-
I don't understand why the contents of heimdal.db matters, since I'm using an OpenLDAP backend. It seems odd that a static db file is somehow being consulted when the principals are in the LDAP directory. I have verified that I have copied the LDAP directory intact from the Debian 5.x system to the Ubuntu 14.04 system, and there is no master key being used (there is no mkey_file directive, and even if I copy over the default m-key file that was auto-generated originally on the Debian 5.x it doesn't make any difference). Not sure what else I could do to ensure that the configurations are as similar as possible.
I also tried backporting the more recent heimdal 1.6rc2 package to 14.04 but got the same errors. I tried tracing through kadmind's behavior with gdb but nothing jumped out as being an obvious issue.
Does anyone know what might be going on here? Here are /etc/krb5.conf and /etc/heimdal-
=====
# /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = true
proxiable = true
renewable = true
scan_interfaces = true
[realms]
EXAMPLE.COM = {
admin_server = localhost
kdc = localhost
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = SYSLOG:INFO
=====
# /etc/heimdal-
[logging]
kdc = FILE:/var/
kdc = SYSLOG:INFO
[kdc]
database = {
dbname = ldap:dc=
hdb-
acl_file = /etc/heimdal-
}
Question information
- Language:
- English Edit question
- Status:
- Solved
- For:
- Ubuntu heimdal Edit question
- Assignee:
- No assignee Edit question
- Solved by:
- Kartik Subbarao
- Solved:
- Last query:
- Last reply: