Kerberos auth by CTA Frontend fails

Hello,

I have problems setting up krb5 auth with the CTA Frontend. We have set up a CTA admin node called cta-adm.scd.rl.ac.uk where there’s the following Kerberos keytab

KVNO Timestamp Principal


3 01/01/70 01:00:00 HOST/cta-adm.scd.rl.ac.uk@FED.CCLRC.AC.UK

after doing:
kinit -kt ./cta-adm-HOST.keytab HOST/cta-adm.scd.rl.ac.uk@FED.CCLRC.AC.UK

I try to issue cta-admin commands on this host for the CTA Frontend running on cta-front01.scd.rl.ac.uk. The krb5 auth directive in the CTA Frontend xrootd config reads

sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab HOST/cta-front01.scd.rl.ac.uk@FED.CCLRC.AC.UK
sec.protbind * only sss krb5

where the contents of /etc/cta/cta-frontend.krb5.keytab are

KVNO Timestamp Principal


3 01/01/70 01:00:00 HOST/cta-front01.scd.rl.ac.uk@FED.CCLRC.AC.UK

However, any attempt to issue cta-admin results in the following error in /var/log/cta/cta-frontend-xrootd.log

210513 13:58:45 32387 XrootdXeq: User authentication failed; Seckrb5: Unable to extract client name;; No translation available for requested principal (p=HOST/cta-front01.scd.rl.ac.uk@FED.CCLRC.AC.UK)

Do you have any idea what is the problem?

Many thanks

George

Apologies, this was not related with CTA config but Kerberos. Apparently, the directive
“canonicalize = true” in the [libdefaults] section of /etc/krb5.conf on the CTA admin node
converted the admin principal name to something that CTA can understand as a CTA
admin username (cta-adm-host) which after being added to the DB could issue admin
commands to the Frontend.