f



Help: Cannot contact any KDC for requested realm

Hi,

I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /opendcim>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms FOOBAR.COM
  KrbVerifyKDC On
  Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab
  require valid-user
</Location>

And here's /etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FOOBAR.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 FOOBAR.COM = {
  kdc = kerberos.foobar.com:88
  admin_server = kerberos.foobar.com:749
 }

[domain_realm]
 foobar.com = FOOBAR.COM
 .foobar.com = FOOBAR.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

foobar.com is a pseudo domain name in my testing env. When the user
access the foobar.com/opendcim it will prompt username and passoword
window. However, after user's input it will prompt that window again.
I checked the log in ssl_error_log I found following details.

[Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
krb5_get_init_creds_password() failed: Cannot contact any KDC for
requested realm

But user can get his principal in the server by kinit w/o any issue.

Any idea?

Thanks.

Eric
0
Lee
6/24/2013 1:26:46 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
885 Views

Similar Articles

[PageSpeed] 55

Reply:

Similar Artilces:

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

Cannot contact any KDC for the requested realm
Hi, I'm having trouble with the kerberos server again... When I request a tgt or something for the first time it always gives me the "Cannot contact any KDC for the requested realm", but if i make the same request again (after a sec), all is fine. Do you know of anything that can cause this? Thanks. You do not have a REALM entry in your krb5.conf file for the realm you are attempting to contact, so DNS is being used. But the local DNS server does not have the data and must propagate a query. The network has a long propagation delay and therefore the Kerberos client times o...

Cannot contact any KDC for requested realm (error 156)
Hi, I am new to Kerberos. I have set up the Kerberos server on a Linux box. The KDC and Kadmin deamons are running. I have also downloaded Kerberos for Windows on another machine running Windows XP and am trying to login to the KDC and get tickets using Leash. But when I try to login I get the following error message Cannot contact any KDC for requested realm (error 156) Can somebody please help me with the problem. Thanks, Dominic ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Did y...

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket...

Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
Hi All, I am having a problem getting a fresh Centos 6.2 machine to join our AD domain. I have installed a base machine with minimal server profile in centos. Its running the krb5-workstation that comes with centos krb5-workstation-1.9-22.el6_2.1.x86_64. We are running a windows 2008 r2 AD cluster with windows 7 and windows xp clients. Long term is to get this working for squid authentication. klist: [root@squid-k net]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: asdwyer@OURCOMPANY.EXAMPLE Valid starting Expires Service principal 03/08/12 14:56:01 03/09/1...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia _...

kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
Hi, there, I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have /etc/hosts mapping hostname of the pc to its ip address and /etc/krb5.conf pointing kdc to the host name, which i believe correctly set. The problem is that, I can do kadmin.local but I just couldn't do kadmin. It always complains: kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface kinit with no parameters reports the similar error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials but kinit works if I supply a principal from anot...

"Cannot contact any KDC for requested realm" when using ldapsearch
I'm trying to configure Kerberos authentication with OpenLDAP. kinit appears to work fine. However, I get this when using ldapsearch: $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm) krb5kdc.log has entries like this in it: Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): A...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamad...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_op...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mw...

Cannot contact any KDC for realm
During boot of my system (Debian Wheezy) k5start is invoked to supply a ticket for accessing the AD DC by nslcd. However, during boot it fails: k5start: error getting credentials: Cannot contact any KDC for realm 'MY.AD.REALM' If I restart k5start using the very same init script once the system is up and running everything works nicely. On another system I neither have any issues using a similar boot stack. What exactly does this message want to tell me, i.e. where do I start troubleshooting? Thanks for your help, - lars. ...

Cannot contact any KDC in realm
Dear Team, I am trying to connect a remote machine (using kerberos authentication) using ssh. But , I cannot able to connect the machine. It is the below ssh trace. OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/bharathi/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 17: Applying options for * debug1: Connecting to 192.168.15.14 [192.168.15.14] port 22. debug1: Connection established. debug1: identity file /Users/bharathi/.ssh/id_rsa type -1 debug1: identity file /Users...

Help Help Help Help Help
please,help us . we have a seious problem, we are designing a radio controlled car that is guided by the PC, to send the data wireless between the PC and the Car and vice versa. we use 2 transmitter/reciever circuits from 2 seperate radio controlled car each running with a different frequency (27 MHz & 40 MHz)and modify the functionality of each to do the disered work. but on mounting a transmitter(40MHz) and reciever(27MHz) on the car, and attach another transmitter(27MHz) and reciever(40MHz) to the PC; we found that on sending signals from the car to the PC on the transmitter & rec...

Help : Can not contact KDC
Hi, there, I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have /etc/hosts mapping hostname of the pc to its ip address and /etc/krb5.conf<= br> pointing kdc to the host name, which i believe correctly set. The problem is that, I can do kadmin.local but I just couldn't do kadmin. It always complains: kadmin: Cannot contact any KDC for requested realm while initializing kadmi= n interface kinit with no parameters reports the similar error: kinit(v5): Cannot contact any KDC for requested realm while getting initial= cred...

help!help!help!help!
I am a student.I am going to make a simulation of a robot (FANUC Robot M-16iB) under the matlab\simulink environment . It is a normal 6DOF robot.I want to realize any angle and any speed (under the max speed) and any position and orientation control. As I just starting to do this new field,I have no experience about it. Can you give me some simulation demo or examples for 6DOF robot? I am very eager to get these.Please write back to me as soon as possible,thank you! Sincerely, Connie&#12288;&#12288;&#12288;&#12288;&#12288;&#12288;&#12288; zhanglijuan920@sohu.c...

kinit(v5): Cannot contact any KDC for requested ...
--=-k/lcpzymRBzmrMBCKbwB Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, I am trying to setup kerberos, but I am getting the above problem. My krb5.conf file is attached. Could you please help. I had run the following commands. # kdb5_util create -r chitta.cse.krb -s # kadmin.local -q "addprinc admin/admin" # kadmin.local -q "addprinc kuser" # kadmin.local -q "getprincs" K/M@chitta.cse.krb admin/admin@chitta.cse.krb kadmin/admin@chitta.cse.krb kadmin/changepw@chitta.cse.krb kadmin/history@chitta.cse.krb kadmin/localhost@chitta.cse.krb krbtgt/chitta.cse.krb@chitta.cse.krb kuser@chitta.cse.krb -- Chitta Mandal <chitta@iitkgp.ac.in> IIT Kharagpur --=-k/lcpzymRBzmrMBCKbwB Content-Disposition: attachment; filename=krb5.conf Content-Type: text/plain; name=krb5.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log default = SYSLOG:INFO:USER [libdefaults] ticket_lifetime = 24000 default_realm = chitta.cse.krb default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = true kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] chitta.cse.krb = { kdc = chitta.cse.iitkgp.ernet.in:88 admi...

Kerberos support in Ethereal. Request for help
Hi I need to decrypt q blob file. I don't know what type of encryption it uses. What I should to do? Can help me? ...

kinit(v5): Cannot contact any KDC for requested......
Hi All, This is my first email to clug. I hope there's kerberos expert on this list. I've been battling with kerberos issues for couple of days. I've installed latest kerberos on RH advance server according to documentation. Everything seems ok but kerberos client apps like kinit are not working. I could run kadmin.local. All important principals are created as well. I logged in as root on the same machine where master kdc is running. I've setup DNS as well but no success. I noticed one thing: I did not create principal for root@RTDLINUX.COM. When I ran kinit, this is the ...

help! help!! help!!!
x=[0 1 10] p=[100 80] how can I get A A=[3x(1) 2x(1) x(1) 1 0 0 0 0; 2x(1) x(1) 1 0 0 0 0 0; 3x(2) 2x(2) x(2) 1 -3x(2) -2x(2) -x(2) -1; 2x(2) x(2) 1 0 -2x(2) -x(2) -1 0; p(1)x(1) p(1) 0 0 -p(2)x(2) -p(2) 0 0; p(1) 0 0 0 -p(2) 0 0 0; 0 0 0 0 -p(2)x(3) -p(2) 0 0; 0 0 0 0 -p(3) 0 0 0; ] In article <fkus3t$11h$1@fred.mathworks.com>, Jim lei <redlightlike@mathworks.com> wrote: >x=[0 1 10] >p=[100 80] >how can I get ...

help help help
Sir, Am Avinash.T.J doing my btech AMRITA ...

Help, Help, Help...
Hei! Im makin a hot INVADERS game with Java but im a newbie with language, so , question is how do i use KeyPressed () function... I hav Applet Runnable... -!Hei!- Here is my problem... public class TestinKeys extends Applet implements Runnable .... .... public void run () { while ( true ) { KeyEvent ke; if ( ke.getKeyChar() == 'a' ) g_TykkiX ++; .... .... What is Wrong, im tryin to make that Invaders game but i dont know how to read keyboard with Runnable Java code... JariTapio <JariTapio@pp.inet.fi> wrote: > publi...

Help Help Help
Hello, I am a reluctant user of the website ntsearch.com. I accidentally download a Java program called "dict" from an ebook website to my XP and now every English words that I read from my computer has got a link with your web. I found it very frustrating when I noticed all the chinese characters I read from the web now become loads of question marks. I think it has a link with the program that I accidentally downloaded from that ebook website. How can I remove the so called "dict" program and other Java Scripts from my computer? This is very urgent and please answer my ...

Help! Help! Help!
My daughter has a Dell 2300 that is coincidentally 1 month past the warranty. It will start up and shut off within 1 minute. It doesn't matter if I boot from hard drive, floppy, go into safe mode, or go to setup screen. I don't know how to try to isolate the problem. (Mother board, power supply etc.) Any suggestions? sogs wrote: > My daughter has a Dell 2300 that is coincidentally 1 month past the > warranty. It will start up and shut off within 1 minute. It doesn't > matter if I boot from hard drive, floppy, go into safe mode, or go to > setup screen....