kadmin interface not working - immediately closes connection

Question

So far I've been doing most of the administration for kerberos with kadmin.local, however, I'm trying to migrate over to using the remote kadmin as it would be better practice and all.

What I'm seeing is this:

esr@cpt2:~$ kadmin -p 'esr/admin'
Authenticating as principal esr/admin with password.
Password for esr/admin@DOMAIN.EDU: 
esr@cpt2:~$

i.e.,login happens perfectly, but the connection is immediately closed.

On the server side:

Jan 08 12:51:02 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: NEEDED_PREAUTH: esr/admin@DOMAIN.EDU for kadmin/ldap-master.domain.edu@DOMAIN.EDU, Additional pre-authentication required
Jan 08 12:51:05 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: ISSUE: authtime 1389207065, etypes {rep=18 tkt=18 ses=18}, esr/admin@DOMAIN.EDU for kadmin/00-kdc.domain.edu@DOMAIN.EDU

==> /var/log/krb5kdc/kadmin.log <==
Jan 08 12:51:05 00-kdc kadmind[9720](Error): TCP client X.X.X.X.41541 wants 2147484348 bytes, cap is 1048572
Jan 08 12:51:05 00-kdc kadmind[9720](info): closing down fd 333

the error wants 2147484348 bytes, cap is 1048572 immediately jumped out at me, but it's proving incredibly tough to track down. I found http://krbdev.mit.edu/rt/Ticket/Display.html?id=3923 but that seems to have been resolved ages ago.

Additionally, I'm using

Package: krb5-admin-server
Version: 1.10+dfsg~beta1-2ubuntu0.3
Package: krb5-kdc
Version: 1.10+dfsg~beta1-2ubuntu0.3

Client connection trace:

esr$ KRB5_TRACE=/dev/stdout kadmin
Authenticating as principal esr/admin@DOMAIN.EDU with password.
[2913] 1389633823.366797: Initializing MEMORY:kadm5_0 with default princ esr/admin@DOMAIN.EDU
[2913] 1389633823.366900: Getting initial credentials for esr/admin@DOMAIN.EDU
[2913] 1389633823.367196: Setting initial creds service to kadmin/ldap-master.domain.edu@DOMAIN.EDU
[2913] 1389633823.367314: Sending request (199 bytes) to DOMAIN.EDU
[2913] 1389633823.367417: Resolving hostname ldap-master.domain.edu
[2913] 1389633823.367562: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633823.371591: Received answer from dgram X.X.X.X:88
[2913] 1389633823.410550: Response was not from master KDC
[2913] 1389633823.410581: Received error from KDC: -1765328359/Additional pre-authentication required
[2913] 1389633823.410619: Processing preauth types: 136, 19, 2, 133
[2913] 1389633823.410636: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633823.410640: Received cookie: MIT
Password for esr/admin@DOMAIN.EDU:
[2913] 1389633826.379096: AS key obtained for encrypted timestamp: aes256-cts/4485
[2913] 1389633826.409058: Encrypted timestamp (for 1389633826.408987): plain <snip>
[2913] 1389633826.409100: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[2913] 1389633826.409105: Produced preauth for next request: 133, 2
[2913] 1389633826.409123: Sending request (294 bytes) to DOMAIN.EDU
[2913] 1389633826.409142: Resolving hostname ldap-master.domain.edu
[2913] 1389633826.409203: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633826.506049: Received answer from dgram X.X.X.X:88
[2913] 1389633826.550573: Response was not from master KDC
[2913] 1389633826.550610: Processing preauth types: 19
[2913] 1389633826.550618: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633826.550623: Produced preauth for next request: (empty)
[2913] 1389633826.550632: AS key determined by preauth: aes256-cts/4485
[2913] 1389633826.550688: Decrypted AS reply; session key is: aes256-cts/13A4
[2913] 1389633826.550706: FAST negotiation: available
[2913] 1389633826.550744: Initializing MEMORY:kadm5_0 with default princ esr/admin@DOMAIN.EDU
[2913] 1389633826.550753: Removing esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU from MEMORY:kadm5_0
[2913] 1389633826.550760: Storing esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU in MEMORY:kadm5_0
[2913] 1389633826.550770: Storing config in MEMORY:kadm5_0 for kadmin/ldap-master.domain.edu@DOMAIN.EDU: fast_avail: yes
[2913] 1389633826.550780: Removing esr/admin@DOMAIN.EDU -> krb5_ccache_conf_data/fast_avail/kadmin\/ldap-master.domain.edu\@DOMAIN.EDU@X-CACHECONF: from MEMORY:kadm5_0
[2913] 1389633826.550787: Storing esr/admin@DOMAIN.EDU -> krb5_ccache_conf_data/fast_avail/kadmin\/ldap-master.domain.edu\@DOMAIN.EDU@X-CACHECONF: in MEMORY:kadm5_0
[2913] 1389633826.575550: Getting credentials esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU using ccache MEMORY:kadm5_0
[2913] 1389633826.575589: Retrieving esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.575641: Creating authenticator for esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU, seqnum 982754712, subkey aes256-cts/33D5, session key aes256-cts/13A4
[2913] 1389633826.578730: Getting credentials esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU using ccache MEMORY:kadm5_0
[2913] 1389633826.578775: Retrieving esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.578816: Creating authenticator for esr/admin@DOMAIN.EDU -> kadmin/ldap-master.domain.edu@DOMAIN.EDU, seqnum 799315236, subkey aes256-cts/E55C, session key aes256-cts/13A4

Answer 1

First the login does not succeed. You will always be prompted for password regardless of whether the connection works or not. Second, kerberos error messages are at best hints and at worst completely misleading.

To me it looks like the kadmin client is requesting the wrong service principal. See

http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html

Most kerberos kadmin sites that I have worked with use kadmin/admin for the kadmind service principal. You need to check in the kadmind setup to see what service principal it is using.

Answer 2

In my case a restart of the kadmin-service did the trick.

Right beforehand my kadmin did the exact same thing. All the other key-exchanging services worked fine. But I couldn't utilize kadmin (Errornumber $?=141), but never had problems using kadmin.local