Kerberos auth by CTA Frontend fails


I have problems setting up krb5 auth with the CTA Frontend. We have set up a CTA admin node called where there’s the following Kerberos keytab

KVNO Timestamp Principal

3 01/01/70 01:00:00 HOST/

after doing:
kinit -kt ./cta-adm-HOST.keytab HOST/

I try to issue cta-admin commands on this host for the CTA Frontend running on The krb5 auth directive in the CTA Frontend xrootd config reads

sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab HOST/
sec.protbind * only sss krb5

where the contents of /etc/cta/cta-frontend.krb5.keytab are

KVNO Timestamp Principal

3 01/01/70 01:00:00 HOST/

However, any attempt to issue cta-admin results in the following error in /var/log/cta/cta-frontend-xrootd.log

210513 13:58:45 32387 XrootdXeq: User authentication failed; Seckrb5: Unable to extract client name;; No translation available for requested principal (p=HOST/

Do you have any idea what is the problem?

Many thanks


Apologies, this was not related with CTA config but Kerberos. Apparently, the directive
“canonicalize = true” in the [libdefaults] section of /etc/krb5.conf on the CTA admin node
converted the admin principal name to something that CTA can understand as a CTA
admin username (cta-adm-host) which after being added to the DB could issue admin
commands to the Frontend.