kadmin interface not working - immediately closes connection

So far I’ve been doing most of the administration for kerberos with kadmin.local, however, I’m trying to migrate over to using the remote kadmin as it would be better practice and all.

What I’m seeing is this:

esr@cpt2:~$ kadmin -p 'esr/admin'
Authenticating as principal esr/admin with password.
Password for esr/[email protected]: 
esr@cpt2:~$

i.e.,login happens perfectly, but the connection is immediately closed.

On the server side:

Jan 08 12:51:02 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: NEEDED_PREAUTH: esr/[email protected] for kadmin/[email protected], Additional pre-authentication required
Jan 08 12:51:05 00-kdc krb5kdc[9729](info): AS_REQ (4 etypes {18 17 16 23}) X.X.X.X: ISSUE: authtime 1389207065, etypes {rep=18 tkt=18 ses=18}, esr/[email protected] for kadmin/[email protected]

==> /var/log/krb5kdc/kadmin.log <==
Jan 08 12:51:05 00-kdc kadmind[9720](Error): TCP client X.X.X.X.41541 wants 2147484348 bytes, cap is 1048572
Jan 08 12:51:05 00-kdc kadmind[9720](info): closing down fd 333

the error wants 2147484348 bytes, cap is 1048572 immediately jumped out at me, but it’s proving incredibly tough to track down. I found http://krbdev.mit.edu/rt/Ticket/Display.html?id=3923 but that seems to have been resolved ages ago.

Additionally, I’m using

Package: krb5-admin-server
Version: 1.10+dfsg~beta1-2ubuntu0.3
Package: krb5-kdc
Version: 1.10+dfsg~beta1-2ubuntu0.3

Client connection trace:

esr$ KRB5_TRACE=/dev/stdout kadmin
Authenticating as principal esr/[email protected] with password.
[2913] 1389633823.366797: Initializing MEMORY:kadm5_0 with default princ esr/[email protected]
[2913] 1389633823.366900: Getting initial credentials for esr/[email protected]
[2913] 1389633823.367196: Setting initial creds service to kadmin/[email protected]
[2913] 1389633823.367314: Sending request (199 bytes) to DOMAIN.EDU
[2913] 1389633823.367417: Resolving hostname ldap-master.domain.edu
[2913] 1389633823.367562: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633823.371591: Received answer from dgram X.X.X.X:88
[2913] 1389633823.410550: Response was not from master KDC
[2913] 1389633823.410581: Received error from KDC: -1765328359/Additional pre-authentication required
[2913] 1389633823.410619: Processing preauth types: 136, 19, 2, 133
[2913] 1389633823.410636: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633823.410640: Received cookie: MIT
Password for esr/[email protected]:
[2913] 1389633826.379096: AS key obtained for encrypted timestamp: aes256-cts/4485
[2913] 1389633826.409058: Encrypted timestamp (for 1389633826.408987): plain <snip>
[2913] 1389633826.409100: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success
[2913] 1389633826.409105: Produced preauth for next request: 133, 2
[2913] 1389633826.409123: Sending request (294 bytes) to DOMAIN.EDU
[2913] 1389633826.409142: Resolving hostname ldap-master.domain.edu
[2913] 1389633826.409203: Sending initial UDP request to dgram X.X.X.X:88
[2913] 1389633826.506049: Received answer from dgram X.X.X.X:88
[2913] 1389633826.550573: Response was not from master KDC
[2913] 1389633826.550610: Processing preauth types: 19
[2913] 1389633826.550618: Selected etype info: etype aes256-cts, salt "DOMAIN.EDUesradmin", params ""
[2913] 1389633826.550623: Produced preauth for next request: (empty)
[2913] 1389633826.550632: AS key determined by preauth: aes256-cts/4485
[2913] 1389633826.550688: Decrypted AS reply; session key is: aes256-cts/13A4
[2913] 1389633826.550706: FAST negotiation: available
[2913] 1389633826.550744: Initializing MEMORY:kadm5_0 with default princ esr/[email protected]
[2913] 1389633826.550753: Removing esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0
[2913] 1389633826.550760: Storing esr/[email protected] -> kadmin/[email protected] in MEMORY:kadm5_0
[2913] 1389633826.550770: Storing config in MEMORY:kadm5_0 for kadmin/[email protected]: fast_avail: yes
[2913] 1389633826.550780: Removing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin/[email protected]@X-CACHECONF: from MEMORY:kadm5_0
[2913] 1389633826.550787: Storing esr/[email protected] -> krb5_ccache_conf_data/fast_avail/kadmin/[email protected]@X-CACHECONF: in MEMORY:kadm5_0
[2913] 1389633826.575550: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0
[2913] 1389633826.575589: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.575641: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 982754712, subkey aes256-cts/33D5, session key aes256-cts/13A4
[2913] 1389633826.578730: Getting credentials esr/[email protected] -> kadmin/[email protected] using ccache MEMORY:kadm5_0
[2913] 1389633826.578775: Retrieving esr/[email protected] -> kadmin/[email protected] from MEMORY:kadm5_0 with result: 0/Success
[2913] 1389633826.578816: Creating authenticator for esr/[email protected] -> kadmin/[email protected], seqnum 799315236, subkey aes256-cts/E55C, session key aes256-cts/13A4