f



"Cannot contact any KDC for requested realm" when using ldapsearch

I'm trying to configure Kerberos authentication with OpenLDAP.  kinit
appears to work fine.  However, I get this when using ldapsearch:

        $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
        SASL/GSSAPI authentication started
        ldap_sasl_interactive_bind_s: Local error (-2)
        	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for requested realm)

krb5kdc.log has entries like this in it:

        Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/admin@ENDOFRAME.NET for kadmin/rail.endoframe.net@ENDOFRAME.NET, Server not found in Kerberos database
        Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/admin@ENDOFRAME.NET for kadmin/admin@ENDOFRAME.NET
        Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, braden@ENDOFRAME.NET for krbtgt/ENDOFRAME.NET@ENDOFRAME.NET
        Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, braden@ENDOFRAME.NET for krbtgt/ENDOFRAME.NET@ENDOFRAME.NET

Obviously, the first one there looks rather suspicious.  But even after
adding (and ktadd'ing) that principal:

        kadmin:  listprincs
        K/M@ENDOFRAME.NET
        braden/admin@ENDOFRAME.NET
        braden@ENDOFRAME.NET
        host/rail.endoframe.net@ENDOFRAME.NET
        kadmin/admin@ENDOFRAME.NET
        kadmin/changepw@ENDOFRAME.NET
        kadmin/history@ENDOFRAME.NET
        kadmin/localhost@ENDOFRAME.NET
        kadmin/rail.endoframe.net@ENDOFRAME.NET
        krbtgt/ENDOFRAME.NET@ENDOFRAME.NET
        ldap/ldap.endoframe.net@ENDOFRAME.NET
        root/admin@ENDOFRAME.NET

… I still get the above entry in the log file.

My krb5.conf looks like this:

        # cat /etc/krb5.conf
        [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log
        
        [libdefaults]
         default_realm = ENDOFRAME.NET
         dns_lookup_realm = true
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true
        
        [realms]
         ENDOFRAME.NET = {
          admin_server = kerberos.endoframe.net
          kdc = kerberos.endoframe.net
          master_kdc = kerberos
          default_domain = endoframe.net
         }
        
        [domain_realm]
         .endoframe.net = ENDOFRAME.NET
         endoframe.net = ENDOFRAME.NET

"rail" is the name of the machine; "kerberos" and "ldap" are aliases for
it.  These names appear to be resolving correctly:

        [root@rail braden]# ping rail.endoframe.net
        PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.153 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.084 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.085 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.085 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.084 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=6 ttl=64 time=0.085 ms
        ^C
        --- rail.endoframe.net ping statistics ---
        6 packets transmitted, 6 received, 0% packet loss, time 5000ms
        rtt min/avg/max/mdev = 0.084/0.096/0.153/0.025 ms
        [root@rail braden]# ping kerberos.endoframe.net
        PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.126 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.085 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.086 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.113 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.086 ms
        ^C
        --- rail.endoframe.net ping statistics ---
        5 packets transmitted, 5 received, 0% packet loss, time 3999ms
        rtt min/avg/max/mdev = 0.085/0.099/0.126/0.018 ms
        [root@rail braden]# ping ldap.endoframe.net
        PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.123 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.083 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.081 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.119 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.085 ms
        ^C
        --- rail.endoframe.net ping statistics ---
        5 packets transmitted, 5 received, 0% packet loss, time 4000ms
        rtt min/avg/max/mdev = 0.081/0.098/0.123/0.019 ms

So, where should I be looking to resolve this issue?

-- 
Braden McDaniel <braden@endoframe.com>


0
braden (7)
2/27/2012 5:38:32 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
431 Views

Similar Articles

[PageSpeed] 7

Reply:

Similar Artilces:

When to use "." and when to use "!"
I'm still confused about this and I can't find anywhere that explains it properly. I have the MS book "Access 2003" in front of me and I'm reading Part 5 about VB and so on. It's telling me about how to refer to a specific database and has the example:- Dim dbMyDb As DAO.Database Set dbMyDb = DBEngine.Workspaces(0).Databases(0) but, but, but, but - what do those dots (periods, full stops, call them what you will) mean? (OK, it appears to be the same usage as C/C++/Java when referring to class/structure members, but I wish it would tell me that somewhere) ...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

"""""""""ADD ME""""""""""
Hi , Hope you are doing great. Please let me take this opportunity to introduce myself, Iam Karthik working with BhanInfoi Inc, a NY based company. We have consultants on our bench on various technologies, my request is to add me to your distribution list and kindly do send me the requirements. i have the below list available 1. Mainframe 2. Java 3.. Financial Analyst 4. Data Architect If there is any vendor ship agreement which has to be signed then I would like to take an opportunity to represent my company and expect your cooperation... ...

when to use "conv2", when to use "fft"->"multiplication"->"ifft"?
Hi all, I am doing 2D image filtering with sometimes filter size larger than image size. I am wondering which of the following scheme is the fastest, using Matlab: 1) conv2, 2D convolution directly; 2) conv2, but decompose the filter into two separable filters and then conv2 will first convolve along X axis and then convolve along Y axis; 3) fft2, multiplication, ifft2, all in 2D domain; 4) fft, multiplication, ifft, all in 1D case and work on convolutions of separable filters along X axis and Y axis; (similar to 2, but do 1D convolution all in frequency domain). Images and filters are...

Urgent Requirement in """""""""""""NEW YORK""""""""""""""""
Hello Partners, Please find the requirement below. Please send the updated resume along with rate and contact no. REQ#1: Title : Java Developer ( Rating Project) Duration : 6 months Rate : open Location : NY strong java, WebLogic 9.2, Web Services, Oracle REQ#2: Title : Java Developer Duration : 4 months Rate : open Location : NY Strong java, SQL REQ#3: Title : VB.Net Consultant Location : NY Duration : 4 months Rate : open Primarily looking at someone who has Excel, VB.net and Oracle (good to have). Req #4: Title : Java Developer (MSA Project) Duration : 6+ months Rate : open Location : NY Note : Please send your updated resume along with contact no karthik@bhaninfo.com : No phone calls please. Thanks & Regards Karthik BhanInfo karthik@bhaninfo.com ...

"or" and "and"
Hi, I'm just getting to discover ruby, but I find it very nice programming language. I just still don't understand how the "or" and "and" in ruby... I was playing with ruby and for example made a def to print Stem and Leaf plot (for those who didn't have a statistics course or slept on it, e.g. http://cnx.org/content/m10157/latest/) Here is the Beta version of it: class Array def n ; self.size ; end def stem_and_leaf(st = 1) # if st != (2 or 5 or 10) then ; st = 1 ; end k = Hash.new(0) self.each {|x| k[x.to_f] += 1 } k = k.sort{|a, b| a[0].to_f <=&g...

"my" and "our"
Hi, while testing a program, I erroneously declared the same variable twice within a block, the first time with "my", the second time with "our": { my $fz = 'VTX_Link'; .... ( around 200 lines of code, all in the same block) our $fz = 'VTX_Linkset'; ... } So the initial contents of the $fz declared with "my" is lost, because "our" creates a lexical alias for the global $fz, thus overwriting the previous "my" declaration. It was my error, no question. But I wonder why Perl doesn't mention this - even with "use s...

about "++" and "--"
why this program snippet display "8,7,7,8,-7,-8" the program is: main() { int i=8; printf("%d\n%d\n%d\n%d\n%d\n%d\n",++i,--i,i++,i--,-i++,-i--); } > why this program snippet display "8,7,7,8,-7,-8" Ask your compiler-vendor because this result is IMHO implementation-defined. Check this out: http://www.parashift.com/c++-faq-lite/misc-technical-issues.html#faq-39.15 http://www.parashift.com/c++-faq-lite/misc-technical-issues.html#faq-39.16 Regards, Irina Marudina fxc123@gmail.com wrote: > why this program snippet display "8,7,7,8,-7,-8&q...

"out" and "in out"
Hi i found the following explaination: In Ada, "in" parameters are similar to C++ const parameters. They are effectively read-only within the scope of the called subprogram. Ada "in out" parameters have a reliable initial value (that passed in from the calling subprogram) and may be modified within the scope of the called procedure. Ada "out" parameters have no reliable initial value, but are expected to be assigned a value within the called procedure. What does "have no reliable initial value" mean when considering the "out" parameter? By c...

why "::", not "."
Why does the method of modules use a dot, and the constants a double colon? e.g. Math::PI and Math.cos -- Posted via http://www.ruby-forum.com/. On Oct 26, 2010, at 01:48 , Oleg Igor wrote: > Why does the method of modules use a dot, and the constants a double > colon? > e.g. > Math::PI and Math.cos For the same reason why inner-classes/modules use double colon, because = they're constants and that's how you look up via constant namespace. Math::PI and ActiveRecord::Base are the same type of lookup... it is = just that Base is a module and PI is a float....

When to use "document" and when to use "this" #2
Hello all, Can anyone explain when one should use the "document" object and when one should use the "this" object? Also, is the "self" object the same as the "document" or "this" object? Bryan wrote on 23 sep 2006 in comp.lang.javascript: > Can anyone explain when one should use the "document" object and when > one should use the "this" object? IMHO: "window" is the default and top element of the DOM tree. So: document defaults to window.document. [However parent.document could mean the framse page.] &q...

"If then; if then;" and "If then; if;"
I have a raw data set which is a hierarchical file: H 321 s. main st P Mary E 21 F P william m 23 M P Susan K 3 F H 324 S. Main St I use the folowing code to read the data to creat one observation per detail(P) record including hearder record(H): data test; infile 'C:\Documents and Settings\retain.txt'; retain Address; input type $1. @; if type='H' then input @3 Address $12.; if type='P' then input @3 Name $10. @13 Age 3. @16 Gender $1.; run; but the output is not what I want: 1 321 s. main H 2 321 s. main P Mary E 21 F 3 321 s...

"/a" is not "/a" ?
Hi everybody, while testing a module today I stumbled on something that I can work around but I don't quite understand. >>> a = "a" >>> b = "a" >>> a == b True >>> a is b True >>> c = "/a" >>> d = "/a" >>> c == d True # all good so far >>> c is d False # eeeeek! Why c and d point to two different objects with an identical string content rather than the same object? Manu Emanuele D'Arrigo wrote: >>>> c = "/a" >>>&...

Invalid use of "." "!"
In writing a sql statement I get the error "invalid use of "." "!"......... this is apparently coming because the where clause of the sql statemt refers to a combo box with sales persons names in it. All the names are listed first initial followed by a "." and last name. I am assuming the error i am getting is coming from the "." in the combo box. How do I get around the invalid use of the "." ? Thanks Never mind..... didnt have enough quotation marks. "Learning" <texson552000@yahoo.com> wrote in message news:DQELg....

when should one use "and" and "or"
Hi All, just got hit w the ff > case > when x==1 or x==2 > print "yeoh!" > end SyntaxError: compile error (irb):17: syntax error, unexpected kOR, expecting kTHEN or ':' or '\n' or ';' when x==1 or x==2 ^ "or" and "and" both exhibit the behaviour in ruby1.8/1.9. workaround 1 put parens around the condition (not again) 2 replace or/and with ||/&& i believe there are other similar quirks when using "and/or".. has ruby relegated the use of "and/or"....? best regar...

like using "=..", "functor", "arg".
Hello, I must resolve the following problem: To define "=.." in terms of "functor" and "arg" and defining "functor" and "arg" in terms of "=..". I have tried to define "=..": input T = f(a,b,c). output L = [f,a,b,c]. term(T,L):- term(T,0,L). term(T,1,T). term(T,N,[F,A|L]):- length([A|L],M), functor(T,F,M), N1 is N-1, N1<M, arg(N1,T,A), term(T,N1,L). Someone can help me to resolve the problem? thanks. H...

Using "fsolve": How to control iteration using "residuals" and "norm of step"??
Hello Everyone, I am using fsolve to solve a system of linear equations and it&#8217;s working fine. However, I have a coupe of issues: (i) Even when the solution (alpha) converges, I am getting the message to choose a new point. I am guessing that it has to do with &#8220;norm of step&#8221; as probably the code is trying a smaller step. I am using option like this: options = optimset('Jacobian','on', 'algorithm', 'Levenberg-Marquardt','Display','iter-detailed', 'MaxFunEvals', 10000, 'MaxIter', 10000,'TolX'...

"Plagiarism" or "fair use" or "~intended use" for WEB published material
A friend is deep in the clutches of Yahoo! as her WEB access is through SBC DSL. Some Yahoo pages evidently have an "Email a Fiend" link as I (and others) received the following message: " D*** M*** (**********@sbcglobal.net) has sent you a news article. (Email address has not been verified.) ------------------------------------------------------------ Personal message: I thought this was really neat so I wanted to share it with all of you. love me Comics and Editorial Cartoons: Ziggy on Yahoo! News http://news.yahoo.com/comics/ziggy ====================================...

A problem about "[ ]" "( )" "="
I want to read several images saved in a director,and give them to I1,I2 ,I3....,using the following codes: filelist=dir(['c:\MATLAB701\work\...\*.jpg']); for i=1 :length(filelist) I=imread(fullfile('c:\MATLAB701\work\...',filelist(i).name)); end; but failed. Then I used I(i)=imread... ,still failed. How could I do? "John" <mailofww@126.com> wrote in message news:ef19e12.-1@webx.raydaftYaTP... >I want to read several images saved in a director,and give them to > I1,I2 ,I3....,using the following codes: > filelist=dir(['c:\MATLAB701\work\.....

Does it need a ";" at the very after of "if" and "for"
write code like: int main(void) { int a=10; if(a<20) {} } Compiler ok on dev-cpp . don't we have to add a ";" after if statement? marsarden said: > write code like: > > int main(void) > { > int a=10; > if(a<20) > {} > } > > Compiler ok on dev-cpp . don't we have to add a ";" after if > statement? The syntax for 'if' is: if(expression) statement There is no semicolon after the ) but before the statement. The statement is either a normal statement (which can be empty), ending in a semicolon:- if(expr) ...

"In" "Out" and "Trash"
I just bought a new computer and I re-installed Eudora Light on my new computer. But when I open Eudora, the "In", "Out" and "Trash" links are not on the left side of the screen the way they were on my old computer. How can I get these links back on the left side of the screen? Thank you. On 25 Mar 2007 09:49:22 -0700, "abx" <abfunex@yahoo.com> wrote: >I just bought a new computer and I re-installed Eudora Light on my new >computer. But when I open Eudora, the "In", "Out" and "Trash" links >are ...

Using "frame -container" and "-use" on Aqua
Hello Tclers, When using Tk 8.5.8 on Aqua, it is not possible to use "-use" to embed a window in a container frame that belongs to another process. X11 does not have this limitation. Is this a missing feature in Tk, or is it a limitation of Aqua or the Carbon framework? Keith. On 5/20/10 7:00 AM, Keith Nash wrote: > Hello Tclers, > > When using Tk 8.5.8 on Aqua, it is not possible to use "-use" to embed a > window in a container frame that belongs to another process. X11 does not > have this limitation. Is this a missing feature in Tk...

Strange behavior of "use if" (a conditional "use" with the if module)
I have a program with this line of code: use if( $Config{'osname'} =~ /Win/ ), 'Win32::Process::Info'; Perl complains: Too few arguments to `use if' (some code returning an empty list in list context?) at ... However, if I change the regex operator to !~ then Perl is quite happy (the only change is replacing the equals with a bang). Does anyone know why Perl is unhappy with =~ in my "use if" statement thanks! * David Filmer wrote in comp.lang.perl.misc: >I have a program with this line of code: > > use if( $Config{'osname'} =~ /Win/ ), 'Win32::Process::Info'; > >Perl complains: > >Too few arguments to `use if' (some code returning an empty list in list context?) at ... If your osname actually matches /Win/ then you probably forgot to load Config.pm. Otherwise, the expression returns an empty list, so there are no arguments passed, just like the error message says. Use something like `scalar($Config{'osname'} =~ /Win/)` to force a scalar context. -- Bj�rn H�hrmann � mailto:bjoern@hoehrmann.de � http://bjoern.hoehrmann.de Am Badedeich 7 � Telefon: +49(0)160/4415681 � http://www.bjoernsworld.de 25899 Dageb�ll � PGP Pub. KeyID: 0xA4357E78 � http://www.websitedev.de/ Quoth David Filmer <usenet@davidfilmer.com>: > I have a program with this line of code: > > use if( $Config{'osname'} =~ /Win/ ), 'Win32::Process::Info'...

When to use "INT" or "int"?
In windef.h there is a type definition typedef int INT; Windows itself uses both types. For example, in the declaration of SetSysColors: BOOL WINAPI SetSysColors( int cElements, // number of elements to change CONST INT *lpaElements, // address of array of elements CONST COLORREF *lpaRgbValues // address of array of RGB values ); Then I have a question: What is the consideration beneath the choice of using either "int" or "INT"? In this case, why cElements should better be declared as "int&...

Web resources about - "Cannot contact any KDC for requested realm" when using ldapsearch - comp.protocols.kerberos

Resources last updated: 3/10/2016 9:28:56 PM