f



KDC policy rejects request while getting initial credentials

Hello List,

when i change the (fully patched 2003 SP1) KDC in krb5.conf to another
(fully patched 2003 SP1 :)  valid domain-controller in our domain i get
:
KDC policy rejects request while getting initial credentials ,  if i do
a "kinit myusername"

I can lock my account through this KDC with kinit , if i type in the
wrong password 3 times, but i dont get a ticket .
My windows colleague dont see anything like this in his logs.

Google returns 3 results :(

http://www.google.de/search?q=%22KDC+policy+rejects+request+while+gettin
g+initial+credentials%22&hl=de&lr=&filter=0

Thanks for your help

Greets Jakob


mailto:jakob.jellbauer@interhyp.de | www.interhyp.de

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
12/8/2005 4:26:35 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
2019 Views

Similar Articles

[PageSpeed] 40

Reply:

Similar Artilces:

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia _...

Cannot resolve network address for KDC in requested realm while getting initial credentials
On Red Hat linux 2.4.9 krb5-devel-1.2.2-24 krb5-libs-1.2.2-24 krb5-server-1.2.2-24 krb5-workstation-1.2.2-24 running everything on the local host I can run kinit.just fine: kinit test Password for test@host.COM: I can create a keytab file: kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5test test Entry for principal test with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. Entry for principal test with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. Howev...

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1....

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf;...

pamkrbval: KDC policy rejects request for this entry
Hi, I am trying to get an HPUX 11i box to authenticate against our active directory (Windows 2003r2) domain with kerberos but I am getting nowhere fast. As per the docs I have, I have created a user account in active directory, then used "ktpass -princ host/unix_client.domain.host.com@DOMAIN.HOST.COM -mapuser unix_lient -pass <pass> -out c:\krb5.keytab" The keytab looks fine when I used ktutil, but I cannot do a kinit... I keep getting "KDC policy rejects request for this entry" I am guessing this is more of a Windows/AD config issue, but thougt someone here might...

validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
I am able to validate (test) keytab files for service1/host1.us.foo.com@FOO.COM and service2/host2.us.foo.com@FOO.COM using the command "kinit -5 -k -t keytab-file service-principal" from host1.us.foo.com, but when I try to validate a keytab file for service3/host3.au.foo.com@FOO.COM from host1.us.foo.com I get the following error: kinit(v5): Cannot find KDC for requested realm while getting initial credentials krb5.conf says: [realms] FOO.COM = { kdc = ...foo.com:88 ... } [domain_realm] .foo.com = FOO.COM Is this behavior expected? Do I need to be &qu...

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
Hi! I have set up a kerberos server srv.example.com. This server has address 192.168.180.30. Address resolution works fine on the server and client: srv.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # client.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointe...

kerberos and Windows 2008R2
Hello Kerberos List, I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se= rver. I've created a user on windows and used the ktpass to generate the Kerberos= keytab: C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.= COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K= RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab I did make sure that "User Kerberos DES encryption types for this account" = was checked. First I was getting: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> ...

Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I want to setup a Windows 2008R2 server as a AD with a KDC to obtian krb5 tickets and later on obtain OpenAFS tokens with these tickets. Our setup: running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc on it. User, service principal afs for OpenAFS, works good so far. I added a second server with Windows 2008R2, added 2nd server to the AD domain and raised 2nd server as AD server. I set on the Win 2008R2: - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value 1 at HKLM\SYSTEM\Curren...

get-next-request and get-request
What is the real difference between the two commands ? What will be used when ? With the sniffer, it looks exactly the same. In article <3ff1bea6$1@news.barak.net.il>, Yoram Orzach <yoram@n-d-com.com> wrote: >What is the real difference between the two commands ? > >What will be used when ? > >With the sniffer, it looks exactly the same. The get-request will only match exactly the OID specified in the request. It will fail of no such OID exists on the target. The get-next-request will return the OID that is the "next" OID in the &quo...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_op...

Password incorrect while getting initial credentials
Hello, I am receiving a "kint(v5): Password incorrect while getting initial credentials" error after entering a password in response to a prompt following a kinit command (kinit user/my.domain@MY.REALM). I know that I am entering the correct password. The database seems to be fine; I can get a ticket as root through: kinit -k -t /etc/krb5.keytab user/my.domain@MY.REALM I am wondering if this could have anything to do with a preauthentication requirement. My KDC.conf has a default principal flag of +preauth. Does this flag require any preliminary steps to authenticate before (or during) kinit? May there be anything else that I am missing? Thanks a lot. Angus Atkins-Trimnell On Feb 17, 2008 10:10 PM, <trimkins@sbcglobal.net> wrote: > Hello, > > I am receiving a "kint(v5): Password incorrect while getting initial > credentials" error after entering a password in response to a prompt > following a kinit command (kinit user/my.domain@MY.REALM). I know > that I am entering the correct password. The database seems to be > fine; I can get a ticket as root through: > kinit -k -t /etc/krb5.keytab user/my.domain@MY.REALM > > I am wondering if this could have anything to do with a > preauthentication requirement. My KDC.conf has a default principal > flag of +preauth. > > Does this flag require any preliminary steps to authenticate before > (or during) kinit? > > May there be anything else th...

if instance variable get initialize after assigning some values or after constructor then when does static variable get initialize
if instance variable get initialize after assigning some values or after constructor then when does static variable get initialize public class A{ private int a; private int b=0; private Integer c; private Integer d=new Integer(2); public static int counter; private A(){ } } by looking at above code one can say that variable b,d get initialize by assignment operator variable a,c by constructor to default values i am not aware of how does variables get initialize i think 1] static variables without assignment 2] static variables with assignment 3] instance variables with assignment 4] ...

kinit: Preauthentication failed while getting initial credentials
Hola, estoy intentando conectarme desde Ubuntu (Kerberos) a un drectorio activo (Windows 2008) , pero tengo problemas. Datos Tecnicos: Dominio: NAME1.NAME2.COM Mi krb5.conf default =3D FILE:/var/log/krb5lib.log [libdefaults] ticket_lifetime =3D 24000 default_realm =3D NAME1.NAME2.COM [realms] NAME1.NAME2.COM =3D { kdc =3D dcwindows admin_server =3D dcwindows default_domain =3D NAME1.NAME2.COM } [domain_realm] ..name1.name2.com =3D NAME1.NAME2.COM name1.name2.com =3D NAME1.NAME2.COM Cuando intento hacer: kinit -V Administrador@NAME1.NAME2.COM e ingreso la contrase=F1a correctamente me arroj...

KRB5 error code 52 while getting initial credentials
Hello all, i am Sunil C. i have a domain named xx.com which has a KDC. i also have a domain co.yy where my server is. there is no KDC in it. users are in xx.com domain. but my servers are in (co.yy) domain. i had set up a test scenario with a user and a server in domain (xx.com) since KDc was setup i got ticket and was able to authenticate well using kerberos. my issue is that all my production servers are in domain (co.yy) which doesnt have a KDC. i want to authenticate and use the server services in that domain. setting up KDC is not feasible in both domains for me. now i have done s...

newbie: error getting credentials: Server not found in Kerberos database
Hi! I never found the time to deal intensively with kerberos so please indulge me if this is ought to be a stupid question: kinit works. krsh does not: krsh server error getting credentials: Server not found in Kerberos database trying normal rlogin (/usr/bin/rlogin) So, this is what I did so far: server: /etc/krb5.conf: [libdefaults] default_realm = LOCALDOMAIN [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCAL...

kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
Hi, there, I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have /etc/hosts mapping hostname of the pc to its ip address and /etc/krb5.conf pointing kdc to the host name, which i believe correctly set. The problem is that, I can do kadmin.local but I just couldn't do kadmin. It always complains: kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface kinit with no parameters reports the similar error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials but kinit works if I supply a principal from anot...

KRB5 error code 52 while getting initial credentials #2
Hello all, i am Sunil C. i have a domain named xx.com which has a KDC. i also have a domain co.yy where my server is. there is no KDC in it.=20 users are in xx.com domain. but my servers are in (co.yy) domain. i had set up a test scenario with a user and a server in domain (xx.com) since KDc was setup i got ticket and was able to authenticate well using kerberos. my issue is that all my production servers are in domain (co.yy) which doesnt have a KDC. i want to authenticate and use the server services in that domain. setting up KDC is not feasible in both domains for me. now i have done...

kinit: Key table entry not found while getting initial credentials
Hi Kerberos experts, could anyone help me in addressing this issue since I am a T-O-T-A-L newbie in Kerberos. I have to retrieve kerberos credential in Solaris 5.8 (SEAM 1.0.1) using a windows2003 Active Directory as KDC, and I am compelled to use the credential of a user different from Solaris' user. Let's say I work with user appadm on Solaris and user domuser@resource.corp in AD. AD administrator generated a keytab for my Solaris user in this way: Ktpass -princ kerberos/domuser.resource.corp@RESOURCE.CORP -mapuser domuser -pass [passwd of domuser] -out domuser.keytab and gave ...

Getting Kerberos ticket to extract user credentials in my site for login
Hi, I am new to Kerberos and just want to know that how can I get the user credentials from Kerberos service ticket in my application for login purpose. I want to implement Kerberos in such a way that my Active Directory user does not need to login to the my site and user just sends the request from browser and my site takes the Kerberos service ticket from the user in HTTP header and logs in the user automatically by getting the credentials from the Kerberos ticket and user accesses the site. Please do tell me that it can be done or not, if possible then how can I do it. Thanks in advance...

kinit: KRB5 error code 52 while getting initial credentials
I'm getting the following error on a Solaris 8 machine: kinit: KRB5 error c= ode 52 while getting initial credentials=20 =20 So far my analysis shows this error to indicate the following: 0x34 - KRB_E= RR_RESPONSE_TOO_BIG - Too much data=20 =20 According to a number of forums, some inheriant limitations exist with the = Solaris 8 version of Kerberos concerning the number of group memberships a = user may have. In my Active Directory, each user is a member of possibly m= any groups. To confirm this, I created a simple user with only membership = to "Domain Users" and was able t...

kinit: KRB5 error code 52 while getting initial credentials #2
I'm getting the following error on a Solaris 8 machine: kinit: KRB5 error code 52 while getting initial credentials So far my analysis shows this error to indicate the following: 0x34 - KRB_ERR_RESPONSE_TOO_BIG - Too much data According to a number of forums, some inheriant limitations exist with the Solaris 8 version of Kerberos concerning the number of group memberships a user may have. In my Active Directory, each user is a member of possibly many groups. To confirm this, I created a simple user with only membership to "Domain Users" and was able to run kinit without ...

Web resources about - KDC policy rejects request while getting initial credentials - comp.protocols.kerberos

Credential - Wikipedia, the free encyclopedia
A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto ...

GraphicMail, Janrain Engage Enable Email Newsletter Signup Via Facebook Credentials
... Janrain Engage to its clients’ customizable newsletter signup forms, allowing them to sign in with their Facebook account information, or credentials ...

Discussion of credentials of Maajid Nawaz - Quilliam - YouTube
Glenn Beck discusses the background of Quilliam Chairman Maajid Nawaz on Fox News - The Daily Beck.

Russian gang said to amass more than a billion stolen internet credentials
A Russian crime ring has amassed the largest known collection of stolen internet credentials, including 1.2 billion username and password combinations ...

Japan underline Asian Cup credentials with 4-0 thumping of Palestine
The class of the reigning Asian Cup champions was on full display at Hunter Stadium on Monday night as Japan opened their title defence with ...

Facebook attacked with credential-harvesting malware - MediaFire, applications, Data Protection - Social ...
Dorkbot variant infection unusual because the criminals exploited a flaw in the file-sharing site MediaFire to spread the malware

Maxwell ready to express Test credentials
GLENN Maxwell’s fearless attitude to strokeplay has made him a star of short-form cricket and a Test wannabe.

Obama mocks Romney military credentials
Sky News is Australia's leader in 24-hour news. Barack Obama has aimed to belittle rival Mitt Romney's commander-in-chief credentials, accusing ...

Accused Potts Point attacker spruiked his fighting credentials, court hears
A man accused of king-hitting an 18-year-old in Potts Point on New Year's Eve allegedly assaulted four strangers in the same spot after telling ...

Fawad Ahmed quietly rebuilding his Test credentials
... auditions for a Test berth. But those poor performances have proven to be the exception, rather than the rule, regarding his red-ball credentials. ...

Resources last updated: 3/1/2016 7:17:59 PM