I updated my master key for my Kerberos 5 server following the MIT Kerberos 5 instructions. I restarted the kdc and kadmind services and used krb5-prop to push the changes to the other servers.
Now I am unable to connect with kadmin from any server, including the admin server:
$kadmin
Authenticating as principal jacob/[email protected] with password.
Password for jacob/[email protected]:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
From my searching I've found that a common reason for this is time syncronization issues, but the machines are matching within a second and it fails even from the server running kadmind.
I'm not sure how to troubleshoot this. My version of kadmind doesn't have any kind of debug argument or verbose logging level that I've found. I've tried running it from the command line with -nofork and it's very quiet there.
The password is accepted. I can kinit as the target principle and if I type the password wrong it tells me.
kadmin: Incorrect password while initializing kadmin interface
If The kadmind service isn't running it also gives a different error.
kadmin: Communication failure with server while initializing kadmin interface
I didn't test kadmin just before updating the master password, but I've used it recently and no other configuration changes have been made. I've tried checking my key version numbers (kvno) and they appear to be correct.
What else could be causing this? Where else can I check? How can I debug kadmind?
Debian 8, krb5-admin-server 1.12.1.