kadmin.local -q "addprinc" adds REALM unnecessarily

Question

When I run the command kadmin.local -q "addprinc admin/admin" it adds the realm to the end of user. So admin/admin becomes admin/admin@LBOX.COM

This is what I ran. Any suggestions would be awesome.

root@directory:~# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@LBOX.COM with password.
WARNING: no policy specified for admin/admin@LBOX.COM; defaulting to no policy
Enter password for principal "admin/admin@LBOX.COM": 
Re-enter password for principal "admin/admin@LBOX.COM": 
Principal "admin/admin@LBOX.COM" created.
root@directory:~# kadmin.local -q "addprinc -randkey kadmin/directory.lbox.com"
Authenticating as principal root/admin@LBOX.COM with password.
WARNING: no policy specified for kadmin/directory.lbox.com@LBOX.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "kadmin/directory.lbox.com@LBOX.COM".
root@directory:~# /etc/init.d/krb5-admin-server restart

score 0 · Answer 1 · answered Aug 15 '12 at 05:39

This is expected behavior and is necessary. Kerberos principals don't exist in the void but always have a realm. It is conventional that Kerberos realms be uppercase versions of the domain they correspond with, but is not required. You may include whatever realms you wish to in your kdc's database(s). The trick is making sure the authentication requests make it to the appropriate location(s).

(A ticket may be anonymous, but that's a whole different topic.)

kadmin.local -q "addprinc" adds REALM unnecessarily

1 Answers1