Hello,
I have problems setting up krb5 auth with the CTA Frontend. We have set up a CTA admin node called cta-adm.scd.rl.ac.uk where there’s the following Kerberos keytab
KVNO Timestamp Principal
3 01/01/70 01:00:00 HOST/cta-adm.scd.rl.ac.uk@FED.CCLRC.AC.UK
after doing:
kinit -kt ./cta-adm-HOST.keytab HOST/cta-adm.scd.rl.ac.uk@FED.CCLRC.AC.UK
I try to issue cta-admin commands on this host for the CTA Frontend running on cta-front01.scd.rl.ac.uk. The krb5 auth directive in the CTA Frontend xrootd config reads
sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab HOST/cta-front01.scd.rl.ac.uk@FED.CCLRC.AC.UK
sec.protbind * only sss krb5
where the contents of /etc/cta/cta-frontend.krb5.keytab are
KVNO Timestamp Principal
3 01/01/70 01:00:00 HOST/cta-front01.scd.rl.ac.uk@FED.CCLRC.AC.UK
However, any attempt to issue cta-admin results in the following error in /var/log/cta/cta-frontend-xrootd.log
210513 13:58:45 32387 XrootdXeq: User authentication failed; Seckrb5: Unable to extract client name;; No translation available for requested principal (p=HOST/cta-front01.scd.rl.ac.uk@FED.CCLRC.AC.UK)
Do you have any idea what is the problem?
Many thanks
George