f



AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

Hi list,

kinit (krb5 1.4.2) on an AIX 5.3 gives me
# /usr/local/bin/kinit -k -t foobar.keytab 
foobar/foo.example.net@EXAMPLE.NET
kinit(v5): Cannot resolve network address for KDC in requested realm 
while getting initial credentials

 From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf 
and foobar.keytab to AIX 5.3. The following steps don't defer to the 
steps I did under Linux.

# ./configure --without-krb4 --enable-shared
# make && make install

Using gcc 3.3.2.
I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far 
as I see it is fixed in 1.4.2.

My krb5.conf looks like this:
[libdefaults]
         default_realm = EXAMPLE.NET
         clockskew = 300

[realms]
         EXAMPLE.NET = {
                 kdc = foo.example.net:88
                 admin_server = foo.example.net:749
                 default_domain = example.net
                 kpasswd_server = foo.example.net
         }

[domain_realm]
         .example.net = EXAMPLE.NET
         example.net = EXAMPLE.NET

[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log

[appdefaults]
         pam = {
                 ticket_lifetime = 1d
                 renew_lifetime = 1d
                 forwardable = true
                 proxiable = false
                 retain_after_close = false
                 minimum_uid = 0
                 debug = false
         }

Trying to analyze with tcpdump I see that DNS query A, AAAA, AAAA with 
double of my domainname - and then again from the beginning.
A record is answered correctly, AAAA can't (no ipv6).

13:00:09.595177 10.20.30.56.41629 > bar.example.net.domain: [udp sum ok] 
  65423+ A? foo.example.net. (34) (ttl 30, id 30399, len 62)
13:00:09.595729 bar.example.net.domain > 10.20.30.56.41629: [udp sum ok] 
  65423* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net 
ns: example.net. NS bar.example.net., example.net. NS bar2.example.net. 
ar: bar.example.net. A bar.example.net, bar2.example.net. A 
bar2.example.net (128) (ttl 30, id 35101, len 156)
13:00:09.597500 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok] 
  65424+ AAAA? foo.example.net. (34) (ttl 30, id 30400, len 62)
13:00:09.597886 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok] 
  65424* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA 
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87) 
(ttl 30, id 35102, len 115)
13:00:09.597928 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok] 
  65425+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30401, len 70)
13:00:09.598273 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok] 
  65425 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns: 
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600 
259200 86400 (95) (ttl 30, id 35103, len 123)
13:00:09.600003 10.20.30.56.41631 > bar.example.net.domain: [udp sum ok] 
  65426+ A? foo.example.net. (34) (ttl 30, id 30402, len 62)
13:00:09.600473 bar.example.net.domain > 10.20.30.56.41631: [udp sum ok] 
  65426* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net 
ns: example.net. NS bar2.example.net., example.net. NS bar.example.net. 
ar: bar.example.net. A bar.example.net, bar2.example.net. A 
bar2.example.net (128) (ttl 30, id 35104, len 156)
13:00:09.602076 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok] 
  65427+ AAAA? foo.example.net. (34) (ttl 30, id 30403, len 62)
13:00:09.602478 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok] 
  65427* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA 
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87) 
(ttl 30, id 35105, len 115)
13:00:09.602520 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok] 
  65428+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30404, len 70)
13:00:09.602894 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok] 
  65428 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns: 
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600 
259200 86400 (95) (ttl 30, id 35106, len 123)

Upto here, Linux contacts my KDC, AIX 5.3 not. "Cannot resolve network 
address for KDC..."

Did I miss something?

cheers,
Christoph
0
cwei (25)
11/8/2005 7:12:27 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

2 Replies
1877 Views

Similar Articles

[PageSpeed] 7

In article <dkqtao$ur0$05$1@news.t-online.com>,
 Christoph Weizen <cwei@gmx.net> wrote:

> kinit (krb5 1.4.2) on an AIX 5.3 gives me
> # /usr/local/bin/kinit -k -t foobar.keytab 
> foobar/foo.example.net@EXAMPLE.NET
> kinit(v5): Cannot resolve network address for KDC in requested realm 
> while getting initial credentials
> 
>  From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf 
> and foobar.keytab to AIX 5.3. The following steps don't defer to the 
> steps I did under Linux.
> 
> # ./configure --without-krb4 --enable-shared
> # make && make install
> 
> Using gcc 3.3.2.
> I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far 
> as I see it is fixed in 1.4.2.

I don't know what's in that patch.  Does it look like you
already have applied something like this?

   Donn Cave, donn@u.washington.edu
-----------------------------------
*** include/fake-addrinfo.h.dist        Wed Jun  1 12:24:32 2005
--- include/fake-addrinfo.h     Fri Aug 12 09:10:48 2005
***************
*** 1193,1199 ****
         a known service name for tcp or udp (as appropriate), an error
         code (for "host not found") is returned.  If the port maps to a
         known service for both udp and tcp, all is well.  */
!     if (serv && serv[0] && isdigit(serv[0])) {
        unsigned long lport;
        char *end;
        lport = strtoul(serv, &end, 10);
--- 1193,1208 ----
         a known service name for tcp or udp (as appropriate), an error
         code (for "host not found") is returned.  If the port maps to a
         known service for both udp and tcp, all is well.  */
!     /*
!     **
!     **  However, where AI_NUNERICSERV is defined (AIX 5) and was 
specified,
!     **  this is unneeded and and broken - "discard" is not numeric.
!     */
!     if (serv && serv[0]
! #ifdef AI_NUMERICSERV
!              && !(hint->ai_flags & AI_NUMERICSERV)
! #endif
!              && isdigit(serv[0])) {
        unsigned long lport;
        char *end;
        lport = strtoul(serv, &end, 10);
0
Donn
11/8/2005 8:23:31 PM
Donn Cave wrote:
> I don't know what's in that patch.  Does it look like you
> already have applied something like this?

No, I haven't already applied something like this.
But now, I did - and it works (great). - Thanks a lot!

Maybe it should be implemented in further versions? I can't see similar 
code in 1.4.3beta2.

cheers,
Christoph
0
cwei (25)
11/8/2005 10:43:04 PM
Reply:

Similar Artilces:

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

Cannot resolve network address for KDC in requested realm while getting initial credentials
On Red Hat linux 2.4.9 krb5-devel-1.2.2-24 krb5-libs-1.2.2-24 krb5-server-1.2.2-24 krb5-workstation-1.2.2-24 running everything on the local host I can run kinit.just fine: kinit test Password for test@host.COM: I can create a keytab file: kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5test test Entry for principal test with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. Entry for principal test with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. However, I can't kinit using this keytab file: [root@host/var/kerberos/krb5kdc]$ kinit -k kadm5test kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials klist shows: [root@bde-idm3 /var/kerberos/krb5kdc]$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@BDE-IDM3.US.ORACLE.COM Valid starting Expires Service principal 01/20/05 14:53:59 01/21/05 00:53:59 krbtgt/HOST.COM@HOST.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached A secondary problem is now the password seems to have been changed after creating the keytab, and I can no longer kinit (without the keytab): [root@host /var/kerberos/krb5kdc]$ kinit test Password for test@host.US.ORACLE.COM: kinit(v5): Password incorrect while getting initial credentials For testing purposes I'm using my hostname as my realm name. I&#...

krb5 1.6 beta 3 on Debian Lenny : kinit(v5): Cannot resolve network address for KDC in realm
I have an issue standing, where I am unable to kinit to get my Krb5 TGT locally on the KDC, but have no problems doing the same on one of my client machines. I don't care too much about this issue for as long as we talk Kerberos credentials on the server itself, however I am really puzzled by this behaviour ... Whenever I execute: kinit <user> I get: kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while getting initial credentials My /etc/resolv.conf looks like this: domain example.com search example.com nameserver 127.0.0.1 My /etc/hostname looks like this: 127.0.0.1 localhost My /etc/krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.COM ticket_lifetime = 12h renew_lifetime = 7d dns_fallback = no kdc_timesync = 3 ccache_type = 4 renewable = true forwardable = true forward = true proxiable = true noaddresses = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-c...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Cannot resolve network address for KDC in requested realm while
Dear sir, When I join the windows 2003 domain using the command kinit, while I am getting the error "cannot resolve network address for KDC is requested realm while getting initial credentials" Another one when I join the windows 2003 domain using the command " net ads join -U administrator" I am getting following error "utils/net_ads.c:ads_startup(186) ads_connect:No such file (or) directory" So kindly send the mail How to rectify this problem. With Regards R.Balaji ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos: Cannot resolve network address for KDC in realm
Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ============= [libdefaults] dns_lookup_realm = false default_realm = ALEZEO.COM ticket_lifetime = 600 kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [kdc] profile = /krb5/var/krb5kdc/kdc.conf [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/krb5/adm.log [realms] ALEZEO.COM = { kdc = dsldap01.alezeo.com:88 admin_server = dsldap01.alezeo.com:749 default_domain = alezeo.com } [domain_realm] .alezeo.com = ALEZEO.COM alezeo.com = ALEZEO.COM [login] krb4_convert = 0 Here is my kdc.conf ============ [kdcdefaults] kdc_ports = 88 [realms] alezeo.com = { ...

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket_lifetime = 7d [appdefaults] forwardable = yes [domain_realm] .foo.com = RCF.FOO.COM [realms] RCF.FOO.COM = { kdc = rcf-kdc1.foo.com kdc = rcf-kdc2.foo.com kdc = rcf-kdc3.foo.com admin_server = rcf-kdc1.foo.com } [logging] kdc = FILE:/var/adm/krb5kdc.log admin_server = FILE:/var/adm/kadmin.log default = FILE:/var/adm/krb5lib.log rcf-kdc1# uname -n rcf-kdc1.foo.com rcf-kdc1# nslookup rcf-kdc1.foo.com Server: 1xx.xx.xx.xxx Address: 1xx.xx.xx.xxx#53 Name: rcf-kdc1.foo.com Address: 1xx.xx.xx.yyy rcf-kdc1# kinit -p jblaine kinit(v5): Cannot contact any KDC for realm 'RCF.FOO.COM' while getting initial credentials rcf-kdc1# ps -ef | grep krb5kdc root 6837 1 0 13:21 ? 00:00:00 /var/rcf-kdc1-krb5/sbin/krb5kdc root 14166 2856 0 16:57 pts/0 00:00:00 grep krb5kdc...

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
Hi! I have set up a kerberos server srv.example.com. This server has address 192.168.180.30. Address resolution works fine on the server and client: srv.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # client.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # Now from the server: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials and from the client: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials I am a bit lost what's going on here. In /etc/krb5.conf I have: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { k...

Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Any one had any success compiling KRB5 1.5.1 on AIX 5.2 or 5.3 ? I am experiencing the same errors as a previous poster; but have not seen any solutions. Configure is successful with the following flags: export CC=cc export CFLAGS='-D_LARGE_FILES -DLANL -DLANL_ICN'; export CFLAGS ../configure --prefix=/usr/local/kerberos --enable-dns-for-realm --with-tcl=/usr/local --with-vague-errors Same config I use to compile 1.4.4 successfully with the LANL patches provided by Milton Turley. After running make, I get the following errors: making all in util... making all in util/support... cc -I../../include -I./../../include -I. -I. -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -D_LARGE_FILES -DLA L -DLANL_ICN -qhalt=e -O -D_THREAD_SAFE -c fake-addrinfo.c "fake-addrinfo.c", line 1212.9: 1506-045 (S) Undeclared identifier my_h_ent. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. Same errors on AIX 5.2 as well as AIX 5.3. Also, same errors with CC or GCC 4. Any help is appreciated and I can beta test any patches. Thanks ! Lamar Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and ...

RE: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Believe it or not; both solutions seem to work and compilation succeeds ! #define GET_HOST_BY_NAME(NAME, HP, ERR, TMP) \ { \ (HP) = (gethostbyname_r((NAME), &TMP.ent, &TMP.data) \ ? 0 \ : &TMP.data); \ (ERR) = h_errno; \ } Worked and so did... #define GET_HOST_BY_NAME(NAME, HP, ERR, TMP) \ { \ struct hostent my_h_ent; \ (HP) = (gethostbyname_r((NAME), &TMP.ent, &TMP.data) \ ? 0 \ : &my_h_ent); \ (ERR) = h_errno; \ } Thanks for the help ! I will continue testing with my current install base on AIX. I really appreciate the rapid responses and solutions ! Lamar -----Original Message----- From: Ken Raeburn [mailto:raeburn@MIT.EDU] Sent: Monday, September 18, 2006 5:13 PM To: Marcus Watts Cc: Saxon, Lamar; kerberos@mit.edu Subject: Re: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3 On Sep 18, 2006, at 17:56, Marcus Watts wrote: > Lamar.Saxon@americredit.com writes: > ... >> making all in util... >> making all in util/support... >> cc -I../../include -...

kerberos v5 setup on AIX 5.3
I am facing some problems in kerberos v5 setup on AIX (For NFSv4 security) Please let me know if anybody has already done this setup. Problem : I get following message on client side : kgss_init_sec_context returned GSS_S_FAILURE KRB5_FCC_NOFILE This error means that cache credential file could not be found but this file exists on client side. Please let me know if there are some good docs on setting up Kerberos on AIX thanks, kiran ...

KDC policy rejects request while getting initial credentials
Hello List, when i change the (fully patched 2003 SP1) KDC in krb5.conf to another (fully patched 2003 SP1 :) valid domain-controller in our domain i get : KDC policy rejects request while getting initial credentials , if i do a "kinit myusername" I can lock my account through this KDC with kinit , if i type in the wrong password 3 times, but i dont get a ticket . My windows colleague dont see anything like this in his logs. Google returns 3 results :( http://www.google.de/search?q=%22KDC+policy+rejects+request+while+gettin g+initial+credentials%22&hl=de&lr=&filter=0 Thanks for your help Greets Jakob mailto:jakob.jellbauer@interhyp.de | www.interhyp.de ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kinit(v5): KRB5 error code 68 while getting initial credentials
I have a huge Problem. Im trying to install a SSO for our Intranet-Webserver (Apache 2.0.55) on a SuSE Linux 10.0. Ist running very fine. But we have some Computers, which are NOT Part of the Active Directory Domain, so there the sso doesnt work. If the paste their Usernames into the Auth-Box (firstname.lastname@persona.de) it doesnt work. But the Useraccount exists in the AD. If they paste the real username (e.g. firstname.lastname@KONZERN.INTERN) it works fine. The problem: The user dont Know his real AD-Name. He knows just hier emailadress (firstname.lastname@persona.de) Anyone a solution? My krb5.conf "[libdefaults] default_realm = KONZERN.INTERN clockskew = 300 [realms] KONZERN.INTERN = { kdc = w2kroot.konzern.intern default_domain = konzern.intern admin_server = w2kroot } persona.de = { kdc = w2kroot.konzern.intern default_domain = konzern.intern admin_server = w2kroot } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .konzern.intern = KONZERN.INTERN [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 ...

validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
I am able to validate (test) keytab files for service1/host1.us.foo.com@FOO.COM and service2/host2.us.foo.com@FOO.COM using the command "kinit -5 -k -t keytab-file service-principal" from host1.us.foo.com, but when I try to validate a keytab file for service3/host3.au.foo.com@FOO.COM from host1.us.foo.com I get the following error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials krb5.conf says: [realms] FOO.COM = { kdc = ...foo.com:88 ... } [domain_realm] .foo.com = FOO.COM Is this behavior expected? Do I need to be "on" a host in .au.foo.com to validate a keytab for service3/host3.au.foo.com@FOO.COM? Thanks. Frank -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Check your krb5kdc.log file for any hint! Hooshang On Tue, 26 Oct 2004 16:39:22 -0400, Frank Balluffi <frank.balluffi@db.com> wrote: > I am able to validate (test) keytab files for service1/host1.us.foo.com@FOO.COM and service2/host2.us.foo.com@FOO.COM using the command "kinit -5 -k -t keytab-file se...

error : kinit(v5) : KRB5 error code 52 while getting initial credentials
Hello all, i am Sunil C. i have a domain named xx.com which has a KDC. i also have a domain co.yy where my server is. there is no KDC in it. users are in xx.com domain. but my servers are in (co.yy) domain. i had set up a test scenario with a user and a server in domain (xx.com). since KDc was setup i got ticket and was able to authenticate well using kerberos. my issue is that all my production servers are in domain (co.yy) which doesnt have a KDC. i want to authenticate and use the server services in that domain. setting up KDC is not feasible in both domains for me. now i have done some configuration in krb5.conf file on my server (test.co.yy) [domain_realm] xx.com = XX.COM ..xx.com = XX.COM co.yy = XX.COM ..co.yy = XX.COM this shows that my domain co.yy which doesnnot have a KDC , i have mapped it to the realm XX.COM . now i have some issues. 1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy) > ktpass -princ HTTP/test.co.yy@XX.COM 2) i somehow managed to get a keytab . i copied into Apache folder and executed the command. kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy@XX.COM password: xxxx error : kinit(v5) : KRB5 error code 52 while getting initial credentials Please help me understand what is this error.. is it some issue with domain mapping configuration in krb5.conf file? i am using kerberos 1.2.7 version. Thanks in advance Sunil C Sunil Chandrasekharan wrote: > Hello all, > i am Sunil C. i have a domain named...

kerberos and Windows 2008R2
Hello Kerberos List, I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se= rver. I've created a user on windows and used the ktpass to generate the Kerberos= keytab: C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.= COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K= RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab I did make sure that "User Kerberos DES encryption types for this account" = was checked. First I was getting: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: KDC has no support for encryption type while getting initial credent= ials So I've checked "Do not require Kerberos preauthentication" and I get: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: Key table entry not found while getting initial credentials Where should that key table entry be located ? I cannot go forward with this. Is there a way to get more verbose logging s= o I can troubleshoot this. Klist root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------------------------= ---- 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES c= bc mode with RSA-MD5) Cat /etc/krb5.conf [logging] default =3D FILE...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> cc: Sent by: Subject: validating keytab files: Cannot find KDC for requested realm kerberos-bounces@mit. whilegetting initial credentials edu 10/26/2004 04:39 PM ...

enscript problem on upgrade from AIX 4.3.3 to AIX 5.3
Did an upgrade yesterday from AIX 4.3.3 to AIX 5.3. We have some old code that uses the enscript command and now we are getting a banner page between each enscript command which we weren't getting under AIX 4.3.3. I can't find anything in the documentation about shutting off this banner page. Can anyone tell how, or if it's even possible, to shut off the banner page with enscript. Thx. Marv ...

Compile C on AIX 5.3 and run on AIX 4.3.3
We are running AIX 5.3 (64 bit kernal). We develop using the IBM XL C compiler version 7. For one site we need to run on AIX 4.3.3. Can we compile on AIX 5.3 and run on AIX 4.3.3? Loial wrote: > For one site we need to run on AIX 4.3.3. Can we compile on AIX 5.3 > and run on AIX 4.3.3? No. The general rule is that you compile and build on the earliest level you need to support. Is it not possible to set compiler options to generate code that will run on AIX 4.3.3? On 13 Feb, 15:11, "Gary R. Hook" <n...@nospammers.net> wrote: > Loial wrote: > > For one site...

aix-get for AIX 4.3.3
I've visited http://sourceforge.net/projects/aix-get, but I haven't seen a version for AIX 4. Does anybody know a version of aix-get to AIX 4.3.3? Thank you in advance! from the sourceforge description "This program allows you automatically check for updates for AIX 5L packages and rpms and download and/or install them. It is a replacement for well-known `fixdist` in AIX4." So use fixdist. Or, download the v5 version and hack the perl code to make it 433 specific. Rgds Mark Taylor -- Posted via http://dbforums.com Mark Taylor <member20596@dbforums.com&g...

AIX 5.2 and AIX 5.3
I have an AIX 5.1 system I'm planning on upgrading to either 5.2 or 5.3. I don't have the install media for 5.3 though and I think IBM might charge me to get one so I was thinking of starting with 5.2. However, I had an undesirable experience with 5.2 where I was at ML 4 and had to do a disaster recovery restore. I only had my original 5.2 install media and found that to do a restore from mksysb I had to have 5.2 install media at the ML 4 level or it wouldn't work. Does anyone know if that was an issue with ML 4 or with 5.2? I mean if you have you system at ML 6 on 5....

Using dns with kerberos-1.6.3 on AIX 5.3
Greetings list, I am trying to build kerberos-1.6.3 on an AIX 5.3 platform using --enable-dns --enable-dns-for-kdc --enable-dns-for-realm. It would appear that the ./configure script is not finding -lresolv in AIX. However, this seems to work fine on my Linux systems which seem to function properly with --enable-dns and are able to find -lresolv provided by glibc. I've tried symlinking libresolv.a to libc.a on the AIX system, but I still get the same error from kerberos after rebuilding when I try to use kinit with a realm who's KDC SRV records are published in DNS. Is there any workaround to be able to use --enable-dns on systems, like AIX, without -lresolv? Or am I missing something? Thanks in advance. ...

SunOS 5.9 to AIX 5.3 ssh getting Connection closed
I've tried a number of things but can't figure out what's going on. This worked as of May 31 and then started getting this error--no known changes from that date. Soliciting ideas... sunbox# ssh -v TARGETBOX Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to TARGETBOX [53.230.188.110] port 22. debug1: Connection established. debug1: identity file /home/testid/.ssh/identity type -1 debug1: identity file /home/testid/.ssh/id_rsa type 1 debug1: identity file /home/testid/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH_3.6*,OpenSSH_3.7*,OpenSSH_3.8* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-Sun_SSH_1.1 debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible mech_dh: Invalid or unknown error ) debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: Peer sent proposed langtags, ctos: debug1: Peer sent proposed langtags, stoc: debug1: We proposed langtags, ctos: en-US debug1: We proposed langtags, stoc: en-US debug1: SSH2_MSG_KEX_DH_...

Web resources about - AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials - comp.protocols.kerberos

Credential Recordings - Wikipedia, the free encyclopedia
Credential Recordings is a Nashville-based record label , focusing generally on the pop rock genre. It began branching out when it agreed on ...

GraphicMail, Janrain Engage Enable Email Newsletter Signup Via Facebook Credentials
... Janrain Engage to its clients’ customizable newsletter signup forms, allowing them to sign in with their Facebook account information, or credentials ...

Discussion of credentials of Maajid Nawaz - Quilliam - YouTube
Glenn Beck discusses the background of Quilliam Chairman Maajid Nawaz on Fox News - The Daily Beck.

Christos Kyrgios has ATP credentials revoked, forced to buy ticket to watch his brother Nick Kyrgios ...
Christos Kyrgios has had his ATP credentials revoked, denied entry to watch his brother Nick in his first round match at the Cincinnati Masters ...

John I Dent Cup: Wests show premiership credentials with entertaining 40-31 win against Royals
Wests showed they can't be discounted as a John I Dent Cup premiership threat on Saturday.

Facebook attacked with credential-harvesting malware - MediaFire, applications, Data Protection - Social ...
Dorkbot variant infection unusual because the criminals exploited a flaw in the file-sharing site MediaFire to spread the malware

Boland pushes Test credentials with five-for
SCOTT Boland rammed home his Test credentials with a five-wicket haul as Victoria put the markers down for a run away Sheffield Shield lead against ...

Obama mocks Romney military credentials
Sky News is Australia's leader in 24-hour news. Barack Obama has aimed to belittle rival Mitt Romney's commander-in-chief credentials, accusing ...

Newly discovered Mac malware tarnishes Apple's security credentials
Apple prides itself on producing more secure gadgets than rivals, but these latest bugs may have iFans worried.

Top AFL draft prospect Christian Petracca proves his midfield credentials
You might already know Christian Petracca. If you like football, like coffee and like to grab one inside the MCG then there's a very good chance ...

Resources last updated: 3/10/2016 10:31:34 PM