Ok, I missunderstood with the KEYTAB_PRINCIPAL parameter, now I've changed for user@REALM  which is the principal I gave permissions to.

Just in case i renewed the ticket of user@realm and then:

$wallet create keytab nfs/host.domain.org
wallet: keytab object implementation not configured

Remctld output:

remctld: child 2479 for  xxx.xxx.xxx.xxx
remctld: received context token (size=649)
remctld: sending context token (size=156)
remctld: accepted connection from user@REALM (protocol 2)
remctld: argc is 4
remctld: arg 1 has length 6
remctld: arg 2 has length 6
remctld: arg 3 has length 6
remctld: arg 4 has length 29
remctld: COMMAND from user@REALM: wallet create keytab nfs/host.domain.org
remctld: quit received, closing connection
remctld: child 2479 done
________________________________________
From: Russ Allbery [rra@stan...]
Sent: 08 May 2012 09:01
To: Sebastian Galiano
Cc: Jeff Blaine; kerberos@mit....
Subject: Re: Streamlining host principal keytab provisioning?

Sebastian Galiano <Sebastian.Galiano@spil...> writes:

> Ok this is my wallet.conf at the wallet client:

> $KEYTABFILE= '/home/USER/krb5.test';

$KEYTAB_FILE, I assume.

> $KEYTAB_KRBTYPE= 'MIT';
> $KEYTAB_PRINCIPAL= 'host.domain.org';

Usually this has a slash in it somewhere.  Are you sure that's the name
of the Kerberos principal you created for wallet to use to authenticate to
kadmin?

> Now I cannot create  more admin users:

> $wallet acl add ADMIN krb5  host.domain.org@REALM
> wallet: GSS-API error initializing context: Unspecified GSS failure.  Minor code may provide more information, Ticket expire

Is the error message right?  Have your local Kerberos tickets expired?
What does klist say?

--
Russ Allbery (rra@stan...)             <http://www.eyrie.org/~eagle/>

________________________________________________
Kerberos mailing list           Kerberos@mit....
https://mailman.mit.edu/mailman/listinfo/kerberos