# Error setting up Kerberos server - kadm5_create_principal unknown



## Farhan Khan (Oct 10, 2019)

Hi all,

I am exploring the world of Kerberos authentication, but running into an issue while trying to setup a server (not the KDC). Specifically, the following:


```
root@kerb-server:~ # kadmin
root/admin@EXAMPLE.ORG's Password:
kadmin> add --random-key host/kerb-server.example.org
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin: kadm5_create_principal: dbopen (/var/heimdal/heimdal): No such file or directory
kadmin: adding host/kerb-server.example.org: dbopen (/var/heimdal/heimdal): No such file or directory
```

Notice that it asks me to enter the password for root/admin@EXAMPLE.ORG. Also, notice that it fails to find the file /var/heimdal/heimdal. I have not setup an account for either of these two accounts on the KDC. On this same machine when I run `kinit user0` and enter the valid password, I am receive an authentication ticket visible when I run k `klist`. When I try to run `kadmin` on the server after this, I am prompted to enter the password user0 (why again?) which I do, but it produces the same error:


```
root@kerb-server:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user0@EXAMPLE.ORG

  Issued                Expires               Principal
Oct  9 20:10:27 2019  Oct 10 06:10:27 2019  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
root@kerb-server:~ # kinit user0
user0@EXAMPLE.ORG'Password:
root@kerb-server:~ # kadmin
kadmin> add --random-key host/kerb-server.example.org
user0/admin@EXAMPLE.ORG's Password:
Max ticket life [unlimited]:   
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user0/admin@EXAMPLE.ORG's Password:
kadmin: kadm5_create_principal: Client (user0/admin@EXAMPLE.ORG)unknown
kadmin: adding host/kerb-server.example.org: Client (user0/admin@EXAMPLE.ORG) unknown
```

Notice that this time it does not ask me for the file /var/heimdal/heimdal. The only configuration I have done on the server side is copy the /etc/krb5.conf from the KDC machine. I am following the documentation here, section 13.5.2: https://www.freebsd.org/doc/handbook/kerberos5.html Is it out of date maybe?

What might be the cause of this? Did I skip a step somewhere? Please advise.


----------



## SirDice (Oct 10, 2019)

Did you init the database correctly? And are the kdc(8), kadmind(8) and kpasswdd(8) services running?


----------



## Farhan Khan (Oct 10, 2019)

The KDC jail has kdc(8)() and kadmind(8)() running and located in /etc/rc.conf, but not the kpasswordd(8)(). However, it is not referenced in the documentation link I provided.
These services were initially not running on the server jail, but I went ahead and did so anyways without a change in behavior.


----------



## SirDice (Oct 11, 2019)

Farhan Khan said:


> However, it is not referenced in the documentation link I provided.


To be honest, last time I tried following it I noticed it was missing a whole lot. And it took me a lot of fiddling and googling to get it working. But, I also wanted to use an LDAP backend and there's even less information on how to do that. I've started over countless times. Basically it comes down to creating the master key, init the database, add your initial admin account, and then start all the services. Keep in mind that Kerberos only does authentication, there is NO user or group management, those are created either from the traditional UNIX files (passwd, group)  or by using a backend like LDAP.


----------



## Farhan Khan (Oct 22, 2019)

I was more interested in learning Kerberos than an actual production use.

But in essence, the documentation is stale and needs to be updated? I'll put in a ticket.


----------



## PMc (Oct 23, 2019)

Farhan Khan said:


> Notice that it asks me to enter the password for root/admin@EXAMPLE.ORG.



That's correct. Per default, the principal used for administration is a special principal named myuser/admin.  If you want to use the current user's regular principal for administration, invoke with `kadmin --principal=myuser`.


> Also, notice that it fails to find the file /var/heimdal/heimdal.



That should exist as /var/heimdal/heimdal.db. Question is, how did you setup the KDC ...

I got the thing working by following the doc in /usr/src/crypto/heimdal/doc/setup.texi, which should be the real documentation. (There are some more interesting files in that directory.)
I don't know where this is supposed to get installed to, if at all. That .texi stuff can be made readable with something like `texi2html`, contained in some teTeX package.

I'm not sure what to make of that handbook page; from my understanding, /etc/krb5.conf is for client machine configuration, while the KDC server uses /var/heimdal/kdc.conf. Also, to allow some principal to do administration, that principal should be mentioned in /var/heimdal/kadmind.acl. 

There some more creepy things to expect, e.g. unintellegible error messages. It also tends to do DNS queries with names like krb5-realm.localhost, and if the DNS does not provide a finite answer to these (that is, if it goes into SERVFAIL), kerberos will not work.


----------



## Farhan Khan (Nov 2, 2019)

Hey PMc,
I read what you wrote a few times, but I am not certain how to proceed with this? What does the error message mean? Please advise.


----------



## PMc (Nov 2, 2019)

Ah, You wrote:



Farhan Khan said:


> I am exploring the world of Kerberos authentication, but running into an issue while trying to setup a server (not the KDC).



If it is so, then I assume that You have already setup a working KDC, and it is running and operative.
But from these error messages, it might be assumed that files are lacking or bad in /var/heimdal. So You might consider that something went wrong with the foregoing setup of the KDC.
Therefore I suggest You consult the above mentioned .texi document for the KDC-setup and check if something is missing in Your installation.
For comparison - mine looks like this:

```
# ls -l /var/heimdal/
total 127
-rw-------  1 root  wheel  32768 Oct 23 16:07 heimdal.db
-rw-r--r--  1 root  wheel     26 Feb 27  2005 kadmind.acl
-rw-r--r--  1 root  wheel   1251 Mar  5  2005 kdc.conf
-rw-------  1 root  wheel  80251 Oct 23 16:07 log
-rw-------  1 root  wheel     72 Feb 27  2005 m-key
```

The /etc/krb5.conf (on any participant machine) may contain things like this:

```
[libdefaults]
        default_realm = MY.DOMAIN.ORG
        dns_lookup_realm = false
        ticket_lifetime = 2 days
        renew_lifetime = 7 days

[domain_realm]
        .my.domain.org = MY.DOMAIN.ORG
        my.domain.org = MY.DOMAIN.ORG

[realms]
        MY.DOMAIN.ORG = {
                kdc = kdc-host.my.domain.org:88
                admin_server = kdc-host.my.domain.org:749
                kpasswd_server = kdc-host.my.domain.org:464
        }

[logging]
        default = SYSLOG:INFO:AUTH
```

The /var/heimdal/kdc.conf (on the kdc server) may *additionally* contain this:

```
[kdc]
        database = {
                dbname = /var/heimdal/heimdal.db
                realm = MY.DOMAIN.ORG
                acl_file = /var/heimdal/kadmind.acl
                mkey_file = /var/heimdal/m-key
                log_file = /var/heimdal/log
        }
        require-preauth = true
        enable-kerberos4 = false
        enable_http = false
        kdc_warn_pwexpire = 1 month
        logging = SYSLOG:INFO:LOCAL2

[kadmin]
        require-preauth = true
```

But beware: it is a long time since I installed that, I do not remember which of these configs was really necessary or useful at all.


----------



## Farhan Khan (Nov 3, 2019)

I think I figured it out. I don't know where exactly, but it appears that the handbook is missing the step `kdb5_util create`.


----------

