f



AD KDC - msktutil - krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)

Hi,

I have this error (see subject) when using msktutil. Any idea what's
wrong with my setup?
(I've replaced hostnames and OU structure)

/etc/krb5.conf (part)
==========
[libdefaults]
 default_realm = EXAMPLE.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.ORG = {
  default_domain = msnet.railb.be
  kdc = ictdc01.example.org
  admin_server = ictdc01.example.org
  admin_keytab = FILE:/etc/krb5.keytab
 }

[domain_realm]
 .example.org = EXAMPLE.ORG
example.org = EXAMPLE.ORG



msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 --
verbose

 -- init_password: Wiping the computer password structure
 -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/
krb5.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /
tmp/.msktkrb5.conf-fbUui1
 -- reload: Reloading Kerberos Context
 -- get_short_hostname: Determined short hostname: tstweb01
 -- finalize_exec: SAM Account Name is: tstweb01$
 -- try_machine_keytab_princ: Trying to authenticate for tstweb01$
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(No such file or directory)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/
tstweb01.example.org from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for tstweb01$ with
password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: ictdc01 try_tls=YES
 -- ldap_connect: Connecting to LDAP server: ictdc01 try_tls=NO
SASL/GSSAPI authentication started
SASL username: sys_msktutil@EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=ORG
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/udandom = 86
 -- ldap_check_account: Checking that a computer account for tstweb01$
exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x1000

 -- ldap_check_account: Found supportedEncryptionTypes = 28

 -- ldap_check_account: Found dNSHostName = tstweb01.example.org

 -- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-
supportedEncryptionTypes they are 28

 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit
at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed
0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 0
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC
for requested realm)
Error: set_password failed
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context
1
1/11/2012 6:44:21 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
1561 Views

Similar Articles

[PageSpeed] 29

Reply:

Similar Artilces:

Cannot contact any KDC for the requested realm
Hi, I'm having trouble with the kerberos server again... When I request a tgt or something for the first time it always gives me the "Cannot contact any KDC for the requested realm", but if i make the same request again (after a sec), all is fine. Do you know of anything that can cause this? Thanks. You do not have a REALM entry in your krb5.conf file for the realm you are attempting to contact, so DNS is being used. But the local DNS server does not have the data and must propagate a query. The network has a long propagation delay and therefore the Kerberos client times o...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_op...

Help: Cannot contact any KDC for requested realm
Hi, I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents. LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /opendcim> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms FOOBAR.COM KrbVerifyKDC On Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab require valid-user </Location> And here's /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmi...

Cannot contact any KDC for requested realm (error 156)
Hi, I am new to Kerberos. I have set up the Kerberos server on a Linux box. The KDC and Kadmin deamons are running. I have also downloaded Kerberos for Windows on another machine running Windows XP and am trying to login to the KDC and get tickets using Leash. But when I try to login I get the following error message Cannot contact any KDC for requested realm (error 156) Can somebody please help me with the problem. Thanks, Dominic ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Did y...

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket...

"Cannot contact any KDC for requested realm" when using ldapsearch
I'm trying to configure Kerberos authentication with OpenLDAP. kinit appears to work fine. However, I get this when using ldapsearch: $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm) krb5kdc.log has entries like this in it: Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): A...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia _...

kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
Hi, there, I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have /etc/hosts mapping hostname of the pc to its ip address and /etc/krb5.conf pointing kdc to the host name, which i believe correctly set. The problem is that, I can do kadmin.local but I just couldn't do kadmin. It always complains: kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface kinit with no parameters reports the similar error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials but kinit works if I supply a principal from anot...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamad...

Cannot contact any KDC in realm
Dear Team, I am trying to connect a remote machine (using kerberos authentication) using ssh. But , I cannot able to connect the machine. It is the below ssh trace. OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/bharathi/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 17: Applying options for * debug1: Connecting to 192.168.15.14 [192.168.15.14] port 22. debug1: Connection established. debug1: identity file /Users/bharathi/.ssh/id_rsa type -1 debug1: identity file /Users...

Cannot contact any KDC for realm
During boot of my system (Debian Wheezy) k5start is invoked to supply a ticket for accessing the AD DC by nslcd. However, during boot it fails: k5start: error getting credentials: Cannot contact any KDC for realm 'MY.AD.REALM' If I restart k5start using the very same init script once the system is up and running everything works nicely. On another system I neither have any issues using a similar boot stack. What exactly does this message want to tell me, i.e. where do I start troubleshooting? Thanks for your help, - lars. ...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missin...

Solaris 10 Kerberos KDC ignores settings in kdc.conf
I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility shows the two life period exactly as the abo...

kinit(v5): Cannot contact any KDC for requested ...
--=-k/lcpzymRBzmrMBCKbwB Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, I am trying to setup kerberos, but I am getting the above problem. My krb5.conf file is attached. Could you please help. I had run the following commands. # kdb5_util create -r chitta.cse.krb -s # kadmin.local -q "addprinc admin/admin" # kadmin.local -q "addprinc kuser" # kadmin.local -q "getprincs" K/M@chitta.cse.krb admin/admin@chitta.cse.krb kadmin/admin@chitta.cse.krb kadmin/changepw@chitta.cse.krb kadmin/history@chitta.cse.krb kadmin/localhost@chitta.cse.krb krbtgt/chitta.cse.krb@chitta.cse.krb kuser@chitta.cse.krb -- Chitta Mandal <chitta@iitkgp.ac.in> IIT Kharagpur --=-k/lcpzymRBzmrMBCKbwB Content-Disposition: attachment; filename=krb5.conf Content-Type: text/plain; name=krb5.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log default = SYSLOG:INFO:USER [libdefaults] ticket_lifetime = 24000 default_realm = chitta.cse.krb default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = true kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] chitta.cse.krb = { kdc = chitta.cse.iitkgp.ernet.in:88 admi...

kinit(v5): Cannot contact any KDC for requested......
Hi All, This is my first email to clug. I hope there's kerberos expert on this list. I've been battling with kerberos issues for couple of days. I've installed latest kerberos on RH advance server according to documentation. Everything seems ok but kerberos client apps like kinit are not working. I could run kadmin.local. All important principals are created as well. I logged in as root on the same machine where master kdc is running. I've setup DNS as well but no success. I noticed one thing: I did not create principal for root@RTDLINUX.COM. When I ran kinit, this is the ...

Solaris 10 Kerberos KDC ignores settings in /etc/krb5/kdc.conf
Greeting, sorry if I sent this in twice. I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility s...

smbclient error: Cannot find KDC for requested realm
Hi there, I'am trying to connect to a Windows-Member-Server in a Win2000 Domain with Samba 3 on Fedora 1.0. Our Win2000 Domain is using MIT-Kerberos. I tried: smbclient //server.testdomain.local/doc$ -k \ --user=testuser@KERBEROS.TESTDOMAIN.LOCAL I'm still getting this message: krb5_get_credentials failed for server$@TESTDOMAIN.LOCAL (Cannot find KDC for requested realm) spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm session setup failed: NT_STATUS_OK Klist told me that I'm having a TGT for Kerberos an a TGT for our Windows-Domain. But I'm missing ...

Cannot resolve network address for KDC in requested realm while
Dear sir, When I join the windows 2003 domain using the command kinit, while I am getting the error "cannot resolve network address for KDC is requested realm while getting initial credentials" Another one when I join the windows 2003 domain using the command " net ads join -U administrator" I am getting following error "utils/net_ads.c:ads_startup(186) ads_connect:No such file (or) directory" So kindly send the mail How to rectify this problem. With Regards R.Balaji ________________________________________________ Kerberos mailing list ...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > ...

MIT Kerberos: Cannot resolve network address for KDC in realm
Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file:...

Windows AD and MIT KDC Cross-Realm Trust
Hello everyone, I have found plenty of step by step instructions on this but we have failed to get them to work. Here is what I've got: We have a windows domain (UTA.EDU) and a kerberos realm (KERB.UTA.EDU). We want to test pass-through authentication on the Windows side so that when windows users login, the DC will authenticate them against the kerberos realm. We have tried creating both a 1 way and a 2 way trust between the two and neither has worked for us. I have followed the directions as provided by the UPenn website and the UCAR website. But, regardless, when a user trie...

kinit request on keytab fails using 2K3sp1 KDC
Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; ...

RE: Windows AD and MIT KDC Cross-Realm Trust
Are you trying to log the user onto the DC? If not, you shouldn't see any traffic going from the DC to the realm's KDC-- the traffic should come from the machine where the user is trying to logon. Common gotchas in this area off the top of my head: 1. make sure the trust is a "realm" trust (the MMC domains and trusts snapin will create the trust with the REALM attribute, but other tools may not). The trust relationship can be 1- or 2-way, but should have the "REALM" attribute so that the Windows domain knows it's not another Windows domain. 2. make sure th...

Kerberos KDC
Hello All, I am trying to set up a Kerberos 5 KDC on my servers. I run Windows IIS 6.0 and our management does not want to use Kerberos through AD. I was wondering if anyone could help me on where to start. Thanks in advance ...

Web resources about - AD KDC - msktutil - krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm) - comp.protocols.kerberos

Resources last updated: 3/3/2016 10:41:12 AM