f



Cannot resolve network address for KDC in requested realm while getting initial credentials

On Red Hat linux 2.4.9
krb5-devel-1.2.2-24
krb5-libs-1.2.2-24
krb5-server-1.2.2-24
krb5-workstation-1.2.2-24
running everything on the local host

I can run kinit.just fine:

kinit test
Password for test@host.COM:

I can create a keytab file:

kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5test test
Entry for principal test with kvno 5, encryption type Triple DES cbc
mode with       HMAC/sha1 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5test.
Entry for principal test with kvno 5, encryption type DES cbc mode
with CRC-32    added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test.

However, I can't kinit using this keytab file:

[root@host/var/kerberos/krb5kdc]$ kinit -k kadm5test
kinit(v5): Cannot resolve network address for KDC in requested realm
while getting initial credentials

klist shows:

[root@bde-idm3 /var/kerberos/krb5kdc]$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@BDE-IDM3.US.ORACLE.COM

Valid starting     Expires            Service principal
01/20/05 14:53:59  01/21/05 00:53:59      krbtgt/HOST.COM@HOST.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

A secondary problem is now the password seems to have been changed
after creating the keytab, and I can no longer kinit (without the
keytab):

[root@host /var/kerberos/krb5kdc]$ kinit test
Password for test@host.US.ORACLE.COM:
kinit(v5): Password incorrect while getting initial credentials

For testing purposes I'm using my hostname as my realm name.  I've
tried logging in as root and as test, but get the same result.

0
1/20/2005 11:06:39 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

2 Replies
4367 Views

Similar Articles

[PageSpeed] 14

In article <1106262399.697619.93400@f14g2000cwb.googlegroups.com>,
 David.Moor@oracle.com wrote:

> kinit test
> Password for test@host.COM:
....
> However, I can't kinit using this keytab file:
> 
> [root@host/var/kerberos/krb5kdc]$ kinit -k kadm5test
> kinit(v5): Cannot resolve network address for KDC in requested realm
> while getting initial credentials

In the course of this message you don't show the same
realm twice, for a total of four different realms
(host.COM is not the same realm as HOST.COM.)  If that's
really the case, I believe it could account for the error
shown above.  You may find some details on this in the
KDC syslog.

The kadmin function that populates a keytab does create
a new key version, so the old one is no longer valid for
new ticket requests.  That's normally a feature.  If you
want to store the key for a typeable password in a keytab,
I believe you can use ktutil for this.

   Donn Cave, donn@u.washington.edu

> klist shows:
> 
> [root@bde-idm3 /var/kerberos/krb5kdc]$ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: test@BDE-IDM3.US.ORACLE.COM
> 
> Valid starting     Expires            Service principal
> 01/20/05 14:53:59  01/21/05 00:53:59      krbtgt/HOST.COM@HOST.COM
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> A secondary problem is now the password seems to have been changed
> after creating the keytab, and I can no longer kinit (without the
> keytab):
> 
> [root@host /var/kerberos/krb5kdc]$ kinit test
> Password for test@host.US.ORACLE.COM:
> kinit(v5): Password incorrect while getting initial credentials
> 
> For testing purposes I'm using my hostname as my realm name.  I've
> tried logging in as root and as test, but get the same result.
>
0
Donn
1/21/2005 5:17:12 PM
Sorry,  version pasted wasn't edited properly.  There were some other
errors which I fixed.  I seem to have narrowed the problem down.  kinit
-k  is finding the AD domain controller which created the keytab.  It
is, however, using the wrong principal.   If I do a kinit -k
ADhost.keytab

strace on the RedHat 2.4.9 system shows:

ethereal protocol KRB5  AS-REQ
Kerberos
Version: 5
MSG Type: AS-REQ
Request
Options: 0000000000
Client Name: ADhost.keytab
Type: Principal
Name: ADhost.keytab
Realm: ADDOMAIN.COM
Server Name: krbtgt
Type: Unknown
Name: krbtgt
Name: ADDOMAIN.COM
Start Time: 2005-01-31 21:21:33 (Z)
End Time: 2005-02-01 07:21:33 (Z)
Random Number: 1107206493
Encryption Types
Type: des3-cbc-sha1
Type: des-cbc-md5
Type: des-cbc-crc
Addresses
Type: IPv4
Value: 165.2.18.5

Kerberos
Version: 5
MSG Type: KRB-ERROR
stime: 2005-01-31 21:26:39 (Z)
susec: 349682
Error Code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
realm: ADDOMAIN.COM
sname: krbtgt
Type: Unknown
Name: krbtgt
Name: ADDOMAIN.COM

So it is taking the keytab file name for some reason for the principal
name.  I tried renaming ADhost.keytab ADhost, but now I get a
segmentation fault.

0
d_moor (2)
1/31/2005 11:42:20 PM
Reply:

Similar Artilces:

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Cannot resolve network address for KDC in requested realm while
Dear sir, When I join the windows 2003 domain using the command kinit, while I am getting the error "cannot resolve network address for KDC is requested realm while getting initial credentials" Another one when I join the windows 2003 domain using the command " net ads join -U administrator" I am getting following error "utils/net_ads.c:ads_startup(186) ads_connect:No such file (or) directory" So kindly send the mail How to rectify this problem. With Regards R.Balaji ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos: Cannot resolve network address for KDC in realm
Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ============= [libdefaults] dns_lookup_realm = false default_realm = ALEZEO.COM ticket_lifetime = 600 kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [kdc] profile = /krb5/var/krb5kdc/kdc.conf [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/krb5/adm.log [realms] ALEZEO.COM = { kdc = dsldap01.alezeo.com:88 admin_server = dsldap01.alezeo.com:749 default_domain = alezeo.com } [domain_realm] .alezeo.com = ALEZEO.COM alezeo.com = ALEZEO.COM [login] krb4_convert = 0 Here is my kdc.conf ============ [kdcdefaults] kdc_ports = 88 [realms] alezeo.com = { ...

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket_lifetime = 7d [appdefaults] forwardable = yes [domain_realm] .foo.com = RCF.FOO.COM [realms] RCF.FOO.COM = { kdc = rcf-kdc1.foo.com kdc = rcf-kdc2.foo.com kdc = rcf-kdc3.foo.com admin_server = rcf-kdc1.foo.com } [logging] kdc = FILE:/var/adm/krb5kdc.log admin_server = FILE:/var/adm/kadmin.log default = FILE:/var/adm/krb5lib.log rcf-kdc1# uname -n rcf-kdc1.foo.com rcf-kdc1# nslookup rcf-kdc1.foo.com Server: 1xx.xx.xx.xxx Address: 1xx.xx.xx.xxx#53 Name: rcf-kdc1.foo.com Address: 1xx.xx.xx.yyy rcf-kdc1# kinit -p jblaine kinit(v5): Cannot contact any KDC for realm 'RCF.FOO.COM' while getting initial credentials rcf-kdc1# ps -ef | grep krb5kdc root 6837 1 0 13:21 ? 00:00:00 /var/rcf-kdc1-krb5/sbin/krb5kdc root 14166 2856 0 16:57 pts/0 00:00:00 grep krb5kdc...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

KDC policy rejects request while getting initial credentials
Hello List, when i change the (fully patched 2003 SP1) KDC in krb5.conf to another (fully patched 2003 SP1 :) valid domain-controller in our domain i get : KDC policy rejects request while getting initial credentials , if i do a "kinit myusername" I can lock my account through this KDC with kinit , if i type in the wrong password 3 times, but i dont get a ticket . My windows colleague dont see anything like this in his logs. Google returns 3 results :( http://www.google.de/search?q=%22KDC+policy+rejects+request+while+gettin g+initial+credentials%22&hl=de&lr=&filter=0 Thanks for your help Greets Jakob mailto:jakob.jellbauer@interhyp.de | www.interhyp.de ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
I am able to validate (test) keytab files for service1/host1.us.foo.com@FOO.COM and service2/host2.us.foo.com@FOO.COM using the command "kinit -5 -k -t keytab-file service-principal" from host1.us.foo.com, but when I try to validate a keytab file for service3/host3.au.foo.com@FOO.COM from host1.us.foo.com I get the following error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials krb5.conf says: [realms] FOO.COM = { kdc = ...foo.com:88 ... } [domain_realm] .foo.com = FOO.COM Is this behavior expected? Do I need to be "on" a host in .au.foo.com to validate a keytab for service3/host3.au.foo.com@FOO.COM? Thanks. Frank -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Check your krb5kdc.log file for any hint! Hooshang On Tue, 26 Oct 2004 16:39:22 -0400, Frank Balluffi <frank.balluffi@db.com> wrote: > I am able to validate (test) keytab files for service1/host1.us.foo.com@FOO.COM and service2/host2.us.foo.com@FOO.COM using the command "kinit -5 -k -t keytab-file se...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> cc: Sent by: Subject: validating keytab files: Cannot find KDC for requested realm kerberos-bounces@mit. whilegetting initial credentials edu 10/26/2004 04:39 PM ...

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
Hi! I have set up a kerberos server srv.example.com. This server has address 192.168.180.30. Address resolution works fine on the server and client: srv.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # client.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # Now from the server: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials and from the client: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials I am a bit lost what's going on here. In /etc/krb5.conf I have: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { k...

krb5 1.6 beta 3 on Debian Lenny : kinit(v5): Cannot resolve network address for KDC in realm
I have an issue standing, where I am unable to kinit to get my Krb5 TGT locally on the KDC, but have no problems doing the same on one of my client machines. I don't care too much about this issue for as long as we talk Kerberos credentials on the server itself, however I am really puzzled by this behaviour ... Whenever I execute: kinit <user> I get: kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while getting initial credentials My /etc/resolv.conf looks like this: domain example.com search example.com nameserver 127.0.0.1 My /etc/hostname looks like this: 127.0.0.1 localhost My /etc/krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.COM ticket_lifetime = 12h renew_lifetime = 7d dns_fallback = no kdc_timesync = 3 ccache_type = 4 renewable = true forwardable = true forward = true proxiable = true noaddresses = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-c...

kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
Hi, there, I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have /etc/hosts mapping hostname of the pc to its ip address and /etc/krb5.conf pointing kdc to the host name, which i believe correctly set. The problem is that, I can do kadmin.local but I just couldn't do kadmin. It always complains: kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface kinit with no parameters reports the similar error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials but kinit works if I supply a principal from another realm (that realm and its kdc is also set in /krb5.conf). I am confused that why kinit and kadmin just couldn't work in local realm? Is this a feature or I missed any setting issues? Thank you very much. yizeng ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos I would suspect a simple error in the configuration of your local realm in /etc/krb5.conf, or a DNS issue. Can you post your /etc/krb5.conf ? On 10/26/05, yi zeng <bigwhite@gmail.com> wrote: > Hi, there, > I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have > /etc/hosts mapping hostname of the pc to its ip address and /etc/krb5.conf > pointing kdc to the host name, which i believe correctly set. > The problem is that, I can do kadmin.local but I just couldn't do kadmin. >...

kerberos and Windows 2008R2
Hello Kerberos List, I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se= rver. I've created a user on windows and used the ktpass to generate the Kerberos= keytab: C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.= COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K= RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab I did make sure that "User Kerberos DES encryption types for this account" = was checked. First I was getting: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: KDC has no support for encryption type while getting initial credent= ials So I've checked "Do not require Kerberos preauthentication" and I get: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: Key table entry not found while getting initial credentials Where should that key table entry be located ? I cannot go forward with this. Is there a way to get more verbose logging s= o I can troubleshoot this. Klist root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------------------------= ---- 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES c= bc mode with RSA-MD5) Cat /etc/krb5.conf [logging] default =3D FILE...

Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I want to setup a Windows 2008R2 server as a AD with a KDC to obtian krb5 tickets and later on obtain OpenAFS tokens with these tickets. Our setup: running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc on it. User, service principal afs for OpenAFS, works good so far. I added a second server with Windows 2008R2, added 2nd server to the AD domain and raised 2nd server as AD server. I set on the Win 2008R2: - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value 1 at HKLM\SYSTEM\Curren...

get-next-request and get-request
What is the real difference between the two commands ? What will be used when ? With the sniffer, it looks exactly the same. In article <3ff1bea6$1@news.barak.net.il>, Yoram Orzach <yoram@n-d-com.com> wrote: >What is the real difference between the two commands ? > >What will be used when ? > >With the sniffer, it looks exactly the same. The get-request will only match exactly the OID specified in the request. It will fail of no such OID exists on the target. The get-next-request will return the OID that is the "next" OID in the &quo...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

KDC: cannot initialize realm
Hi. I've got a problem in my slave KDC. I've set up time ago a slave kdc with a cron job from the master that dumps the database on a file, and makes the slave load it, all with ssh root tickets. Now the slave isn't working anymore: plm:~# /etc/init.d/krb5-kdc start Starting Kerberos KDC: krb5kdc: cannot initialize realm DIA.UNIROMA3.IT krb5kdckrb524d: Invalid argument initializing kadm5 library krb524d. plm:~# *NO* other output than that. What is it? -- Sensei <mailto:senseiwa@tin.it> The optimist says "Tomorrow is sunday". The pessimist says "The day after tomorrow is monday". (Gustave Flaubert) Sensei wrote: > > *NO* other output than that. What is it? > It happens also when running alone # krb5kdc or # krb524d What's the problem??? Please, I find it REALLY strange! It worked since two/three weeks ago! -- Sensei <mailto:senseiwa@tin.it> The optimist says "Tomorrow is sunday". The pessimist says "The day after tomorrow is monday". (Gustave Flaubert) ...

Defer network initialization and initialize network at boot time
Hi all, Can anyone tell me what's the deference of the captioned question? How to select? Thanks in advance. Bill ...

LoginException: Cannot get kdc for realm
Hi to all. We have a problem using JAAS for autenticating against Microsoft Active Directory LDAP and a security service based on Microsoft Kerberos V5. We have a krb5.conf like this: # # All rights reserved. # #pragma ident @(#)krb5.conf 1.1 00/12/08 [libdefaults] default_realm = AAA.IT.xxx.YYYY.COM [realms] IT.XXX.YYYY.COM = { kdc = SERVER1:88 } AAA.IT.XXX.YYYY.COM = { kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88 } BBB.IT.XXX.YYYY.COM = { kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88 } CCC.IT.XXX.YYYY.COM = { kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88 } DDD.IT.XXX.YYYY.COM = { kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88 } [domain_realm] .bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM .aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM .it.xxx.yyyy.com = IT.XXX.YYYY.COM .ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM .ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM We are developing under Oracle Application Server 10.1.3. We load krb5.conf file in a servlet with this code: System.setProperty("java.security.krb5.conf".. We autenticate users with these calls: lc = new LoginContext("MyLogin", new CallbackHandler(args)); lc.login(); We have deployed our web application under a test environment and everything works. Now we are trying to go on production, where we have the following error: javax.security.auth.log...

how do I get a FC network address
How do I get the 'network address'/'worldwidename' for a fibre channel adapter card. The server has no operating system installed on it yet so I cannot use 'lscfg'. I tried to get it from the SMS menu but could not find it. Thankyou for any help. David In article <410861e6$0$9142$c30e37c6@lon-reader.news.telstra.net>, David Martin <d.martin@bom.gov.au> wrote: > How do I get the 'network address'/'worldwidename' for a fibre channel > adapter card. The server has no operating system installed on it yet so I > cannot use 'lscfg&...

kinit cannot resolve network address
I'm trying to configure a Solaris 8 system to authenticate Samba against Windows 2003 ADS. I've compiled the appropriate packages; however, I'm quickly stuck trying to get my kerberos ticket. Here's the error: sumac:/opt/local/kerberos5/bin# ./kinit admin@DCRI.DUKE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials Here's the lowdown: Samba client -- sumac.dcri.duke.edu 152.16.48.61 ADS server - vmsodium.dcri.duke.net 10.0.101.65 My /etc/resolv.conf sumac:/opt/local/kerberos5/bin# more /etc/resolv.conf domain dcri.duke.edu nameserver 152.16.48.78 nameserver 152.16.49.44 nameserver 152.16.49.47 Although I rather not modify my /etc/resolv.conf, I've read that this error is due to DNS lookups. I am able to resolve using nslookup. I have tried 1) adding my ADS server's IP to /etc/resolv.conf and a "search dcri.duke.net" line. I've also tried using the IP in the krb5.conf file. I can't get past that error. Here is my /etc/krb5.conf.. [libdefaults] default_realm = dcri.duke.net [realms] dcri.duke.net = { # kdc = vmsodium.dcri.duke.net kdc = 10.0.101.65 } [domain_realms] .kerberos.server = dcri.duke.net Any help would be greatly appreciated. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Cannot contact any KDC for the requested realm
Hi, I'm having trouble with the kerberos server again... When I request a tgt or something for the first time it always gives me the "Cannot contact any KDC for the requested realm", but if i make the same request again (after a sec), all is fine. Do you know of anything that can cause this? Thanks. You do not have a REALM entry in your krb5.conf file for the realm you are attempting to contact, so DNS is being used. But the local DNS server does not have the data and must propagate a query. The network has a long propagation delay and therefore the Kerberos client times out before the response arrives. The second time you attempt the tgt request, the local DNS server has the response cached so the response arrives before the timeout period. Noolyg wrote: > Hi, > > I'm having trouble with the kerberos server again... > When I request a tgt or something for the first time it always gives > me the "Cannot contact any KDC for the requested realm", but if i make > the same request again (after a sec), all is fine. > > Do you know of anything that can cause this? > > Thanks. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Thanks for the answer, I think you are right about the DNS, but i have the REALM entry in the krb5.ini (windows) it looks like that: [libdefaults] default_realm = MYREALM default_tgs_enctyp...