kerberos and Windows 2008R2
Hello Kerberos List, I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se= rver. I've created a user on windows and used the ktpass to generate the Kerberos= keytab: C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.= COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K= RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab I did make sure that "User Kerberos DES encryption types for this account" = was checked. First I was getting: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: KDC has no support for encryption type while getting initial credent= ials So I've checked "Do not require Kerberos preauthentication" and I get: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host= /jc1lqaldap.testdomain.com kinit: Key table entry not found while getting initial credentials Where should that key table entry be located ? I cannot go forward with this. Is there a way to get more verbose logging s= o I can troubleshoot this. Klist root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- ----------------------------------------------------= ---- 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES c= bc mode with RSA-MD5) Cat /etc/krb5.conf [logging] default =3D FILE...

kinit: Key table entry not found while getting initial credentials #2
Hello newsgroup, We followed the instructions on http://grolmsnet.de/kerbtut/ kinit -k -t /etc/apache2/httpotrskeytab OTRS/ server.test.local@TEST.LOCAL produces the following error: kinit: Key table entry not found while getting initial credentials we are using mit kerberos 1.9.1 on sles10 we created the keytabfile on windows 2008 r2 server with the following command: ktpass -princ OTRS/server.test.local@TEST.LOCAL -mapuser httpotrs@TEST.LOCAL -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass secretpassword -out c:\temp\httpotrskeytab we copied the file to the linux server to /etc/apache2 directory manual ticket creation works fine: server:/ # kinit OTRS/server.test.local Password for OTRS/server.test.local@TEST.LOCAL: server:/ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: OTRS/server.test.local@TEST.LOCAL Valid starting Expires Service principal 06/07/11 13:40:15 06/07/11 23:40:15 krbtgt/TEST.LOCAL@TEST.LOCAL renew until 06/08/11 13:40:15 server:/ # kvno OTRS/server.test.local@TEST.LOCAL OTRS/server.test.local@TEST.LOCAL: kvno =3D 11 any ideas what went wrong with our installation? G=FCnter g� <guenter.huerkamp@gmail.com> writes: > Hello newsgroup, > > We followed the instructions on http://grolmsnet.de/kerbtut/ > > > kinit -k -t /etc/apache2/httpotrskeytab OTRS/ > server.test.local@TEST.LOCAL > produces the following error: > kinit: Key table entry not found while getting initial credenti...

kprop: Key table entry not found while getting initial ticket
I try to take good notes so that I can reproduce my problems and successes. This week is the first time I have ever touched kerberos. I am using Red Hat ES3 and the default rpms. The short of it: kdb5_util dump /var/kerberos/krb5kdc/dump kprop -f /var/kerberos/krb5kdc/dump mail.eamc.net kprop: Key table entry not found while getting initial ticket Now what? My guess is that I am not asking for the correct ticket for kpropd. A normal inetd.conf entry would be: krb5_prop stream tcp nowait root /usr/kerberos/sbin/kpropd kpropd My thinking is that the second kpropd is my principal. However, my xinetd entry does not. I have tried it both ways so am sending everything I have to the list. I have also changed my logging from the basic stuff in RH to: kdc = SYSLOG:INFO:LOCAL1 admin_server = SYSLOG:INFO:LOCAL2 hoping I would get more debug information, but no dice. I have googled, read the docs in /usr/share/doc/krb5-server/ and done this twice. I am very frustrated and would appreciate any help. # cat /etc/xinetd.d/krb5_prop # 2004-01-27 Jud Bishop # description: kpropd is the propagation daemon for Kerberos service krb5_prop { flags = KEEPALIVE socket_type = stream wait = no user = root server = /usr/kerberos/sbin/kpropd # server = /usr/kerberos/sbin/kpropd kpropd # server_args = kpropd enable = yes } How I got here: Make sure you have NT...

aklog:Key table entry not found while getting AFS tickets
I an trying to automatically obtain the AFS tokens upon login on a Mac 10.2.6 system. I have successfully configured the kerberos v5 and the OpenAFS 1.2.10 clients. I can login with kerberos and successfully verify its ticket with the klist command. I can also execute klog, obtain an AFS token and sucessfully access my AFS space. However, if I login with kerberos and try to execute "aklog", I receive the following messages: aklog: Couldn't get asu.edu AFS tickets: aklog:Key table entry not found while getting AFS tickets Any ideas on how to resolve this problem? Thanks! James ...

Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found)
Hi guys, I'm working about 3 days at this problem and I can't fix it and now I have no more ideas: Customers environment: Windowsdomain with DC where all Users are: contoso.local Sless11 for Webapplication is in a domain: contoso.lan (this is not a Windowsdomain - just the server is configured for this And thats the problem. I don't know - how to manage these two domains. URL to access to the Webapplication is: When I now try to access from a Windowsmachine wich is in the Domain contoso.local at URL http://sless11.contoso.lan/webapp there comes a 401 from the apach...

Key table entry not found
Hello, I'm setting up a test KDC running on Solaris 9. The version I'm running is 5.1.3.1. I have successfully installed and setup my KDC server. I have tested it out on RH9 and everything is working there, as in being authenticated and such. I'm now trying to get kerberos authentication to work on another Solaris 9 box. But am running into problems. On the Solaris 9 box I have modified the pam.conf file to kerberos, copied the krb5.conf file from my kdc and ran kadmin as follows kadmin - admin/admin : ktadd host/machine_name.domain : quit When I tried to telnet into the system I got denied, the message in /var/adm/messages on the client box said something about "Bad encryption type". I found on the web to do ktadd the following: kadmin -p admin/admin : ktremove host/machine_name.domain : ktadd -e des-cbc-crc:normal host/machine_name.domain : quit This got rid of the "Bad encryption type" error, but I am now getting the following error in the messages file: "Key table entry not found". I don't know if this is saying that its not finding the machine keytab or my UID on the KDC server? Does anyone have any help here? Thanks... ------------------------------------------------------------------------ --------------------------- C. J. Keist Email: cj.keist@engr.colostate.edu UNIX/Network Manager Phone: 970-491-0630 Engineering Network ...

Key table entry not found #3
Hi the list, I have two servers. One hosting a kerberos master and ldap master (server.lan) , one other hosting a kerberos slave and ldap replica (replica.lan). Kerberos is used by ldap for authentication SASL/GSSAPI. The kerberos realm is SERVER.LAN. All was running. But since some time, i get error messages with ldapsearch command. With the debug activated, i get the following message of ldapsearch: server:~ admin$ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan .... res_errno: 80, res_error:<SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)>, res_matched:<> .... (Remark : As information i provide the entire debug at the end of this message) Because of the message "keytable entry not found", i tried to use kadmin and check if principle with root exists. But by using kadmin i get now this message : server:~ admin$ kadmin -proot@SERVER.LAN Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied Authenticating as principalroot@SERVER.LAN with password. Password forroot@SERVER.LAN: kadmin: Communication failure with server while initializing kadmin interface server:~ admin$ I check the logfile owner, group owner, and permission. Then i compared with one other kerberos server. Permission and owner was different. I set permission identically. But nothing was changed. With kadmin.local i checked androot@SERVER.LAN exists in the list. ...

key table entry not found #2
Hello , I have Virtual Network configured to use Kerberos authentication.The setup is as follows: Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com; Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com; Windows XP Prof. (client) (FQDN) zdravko.lab.com; They are in the DNS lookup zone.I create one test user account for accessing the client machine under given domain(lab.com).The user name is "achimtest1" and its password never expires,and it's not going to be prompted for changing.After that I create one "dummy" user which will be used for SPN(service principal name mapping to it).It's called "http-test" and the same flags are used as in "achimtest1" user + one more:"This account supports AES 256 bit encryption".I continued with creating the keytab file: c:\>ktpass /princ HTTP/debian.lab.com@LAB.COM /mapuser http-test@lab.com/pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_SRV_HST /out http-test.keytab the keytab is successfully created and I have checked it with the following command:c:\>setspn -L http-test->I have the service principal name:HTTP/ debian.lab.com registered to it.I copy the "http-test.keytab" file via pscp to the Debian box in /etc/apache2/keytab/ directory.In /etc/hosts file in Debian I've deleted "127.0.0.1" line and replaced it with:"192.168.100.103 debian.lab.com debian";192.168.100.103 is the linux box's IP. In /etc/resolf...

Key table entry not found-this time with Heimdal
Hello, this is the same setup like in my previous post from this month,but this time I'm using heimdal-clients.I have removed all of the MIT packages that I have installed: krb5-user,krb5-clients. I have Virtual Network configured to use Kerberos authentication.The setup is as follows: Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com; Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com; Windows XP Prof. (client) (FQDN) zdravko.lab.com; [Windows Server 2008 Settings] They are in the DNS lookup zone.I create one test user account for accessing the client machine under given domain(lab.com).The user name is "zdravko1" and its password never expires,and it's not going to be prompted for changing.After that I create one "dummy" user which will be used for SPN(service principal name mapping to it).It's called "http" and the same flags are used as in "zdravko1": -User cannot change password; -Password never expires; -This account supports AES 256 bit encryption; I continued with creating the keytab file: c:\>ktpass /princ HTTP/debian.lab.com@LAB.COM <http://lab.com/> /mapuser http@LAB.COM /pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out http.keytab Keytab version: 0x502 keysize 78 HTTP/debian.lab.com@LAB.COM <http://lab.com/> ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x......) The keytab is successfully created and I have checke...

gss-server: Key table entry not found
Hi, I cannot get gss-server worked. I have tried adding (using addprinc and ktadd) different combinations of name/host (klist -k confirms the successful addition) but still getting the same error: key table entry not found. Can you please tell me what entry it is looking for and how to resolve the problem? If you need any information about my system in order to help, kindly let me know. Thanks in advance. Regards, David. ...

kinit: Preauthentication failed while getting initial credentials
Hola, estoy intentando conectarme desde Ubuntu (Kerberos) a un drectorio activo (Windows 2008) , pero tengo problemas. Datos Tecnicos: Dominio: NAME1.NAME2.COM Mi krb5.conf default =3D FILE:/var/log/krb5lib.log [libdefaults] ticket_lifetime =3D 24000 default_realm =3D NAME1.NAME2.COM [realms] NAME1.NAME2.COM =3D { kdc =3D dcwindows admin_server =3D dcwindows default_domain =3D NAME1.NAME2.COM } [domain_realm] ..name1.name2.com =3D NAME1.NAME2.COM name1.name2.com =3D NAME1.NAME2.COM Cuando intento hacer: kinit -V Administrador@NAME1.NAME2.COM e ingreso la contrase=F1a correctamente me arroja: kinit: Preauthentication failed while getting initial credentials Todo el problema inicio cuando reinstale el Windows 2008 Nuevamente desde otro CD, no se si el problema es el Windows o la configuracion del Kerberos. Saludos. 2011/5/19 JODACAME <jodacame@gmail.com>: > Cuando intento hacer: > kinit -V Administrador@NAME1.NAME2.COM > e ingreso la contraseña correctamente me arroja: > > kinit: Preauthentication failed while getting initial credentials > > > Todo el problema inicio cuando reinstale el Windows 2008 Nuevamente > desde otro CD, no se si el problema es el Windows o la configuracion > del Kerberos. Acaso re-instalaste y _re-creaste_ el dominio de Active Directory? Podés re-instalar, pero tenés que recuperar los datos del dominio de tus backups. Nico -- Hello. Are you sure that the admin user isn't called administ...

kinit: KRB5 error code 52 while getting initial credentials
I'm getting the following error on a Solaris 8 machine: kinit: KRB5 error c= ode 52 while getting initial credentials=20 =20 So far my analysis shows this error to indicate the following: 0x34 - KRB_E= RR_RESPONSE_TOO_BIG - Too much data=20 =20 According to a number of forums, some inheriant limitations exist with the = Solaris 8 version of Kerberos concerning the number of group memberships a = user may have. In my Active Directory, each user is a member of possibly m= any groups. To confirm this, I created a simple user with only membership = to "Domain Users" and was able to run kinit without issue. Also, I seen a number of forums reporting that the native version of Kerber= os in Solaris 8 does not support TCP. Apparently by default, once the pack= age size of a Kerberos ticket reaches a specified max, TCP should be used. =20 I have the following Kerberos packages loaded: SUNWk5pk kernel Kerbe= ros V5 plug-in w/auth+privacy (32-bit) SUNWk5pkx kernel Kerberos V5 p= lug-in w/auth+privacy (64-bit) SUNWk5pu user Kerberos V5 gss mechani= sm w/auth+privacy (32-bit) SUNWk5pux user Kerberos V5 gss mechanism w= /auth+privacy (64-bit)=20 =20 Are updated packages for Kerberos available for Solaris 8 environments that= can handle support for Kerberos over TCP and having a large number of grou= p memberships? _________________________________________________________________ Local listings, incredible imagery, and driving directions - all in...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

newbie: error getting credentials: Server not found in Kerberos database
Hi! I never found the time to deal intensively with kerberos so please indulge me if this is ought to be a stupid question: kinit works. krsh does not: krsh server error getting credentials: Server not found in Kerberos database trying normal rlogin (/usr/bin/rlogin) So, this is what I did so far: server: /etc/krb5.conf: [libdefaults] default_realm = LOCALDOMAIN [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 127.0.0.1 localhost 192.168.0.2 server server.localdomain real hostname is actually *not* "server"! kadmin.local: addprinc foo client: /etc/krb5.conf [libdefaults] ticket_lifetime = 600 default_realm = LOCALDOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FI...

"Key table entry not found while verifying ticket for server"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig07FDE7C699B5FF20AD258797 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Just added a new system tonight to our Kerberos realm, and was getting the following error when ksu'ing: "ksu: Key table entry not found while verifying ticket for server" Tried Googling for the error to no avail; what is the meaning of this error and how do I clear it? Best Wishes - Peter --=20 Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" --------------enig07FDE7C699B5FF20AD258797 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFGtXWzPtVx9OgEjQgRAve6AJ97hWoo/FDyvCC27oHOamy1UiN6TQCfbcjm 8b550EYBPn8jKX8rHMDtmME= =znqF -----END PGP SIGNATURE----- --------------enig07FDE7C699B5FF20AD258797-- ...

kinit: KRB5 error code 52 while getting initial credentials #2
I'm getting the following error on a Solaris 8 machine: kinit: KRB5 error code 52 while getting initial credentials So far my analysis shows this error to indicate the following: 0x34 - KRB_ERR_RESPONSE_TOO_BIG - Too much data According to a number of forums, some inheriant limitations exist with the Solaris 8 version of Kerberos concerning the number of group memberships a user may have. In my Active Directory, each user is a member of possibly many groups. To confirm this, I created a simple user with only membership to "Domain Users" and was able to run kinit without issue. Also, I seen a number of forums reporting that the native version of Kerberos in Solaris 8 does not support TCP. Apparently by default, once the package size of a Kerberos ticket reaches a specified max, TCP should be used. I have the following Kerberos packages loaded: SUNWk5pk kernel Kerberos V5 plug-in w/auth+privacy (32-bit) SUNWk5pkx kernel Kerberos V5 plug-in w/auth+privacy (64-bit) SUNWk5pu user Kerberos V5 gss mechanism w/auth+privacy (32-bit) SUNWk5pux user Kerberos V5 gss mechanism w/auth+privacy (64-bit) Are updated packages for Kerberos available for Solaris 8 environments that can handle support for Kerberos over TCP and having a large number of group memberships? _________________________________________________________________ Local listings, incredible imagery, and driving directions - all in one place! Find it! http://maps.live.com/...

ssh gssapi-with-mic and "Key table entry not found"
Hi, I'm trying to get ssh working using gssapi-with-mic authentication. I have about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4 mounts with "krb5p" security. All these machines mount the same NFSv4 share (think home directories) so my users need to be able to forward their TGT around.) What I'm ultimately running into is sshd complaining "Key table entry not found" on *most* of the servers---a random handful work, and I can't figure out how the working ones are different. So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using gssapi-with-mic authentication. Here's the output of trying to ssh: [matt@lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications gssapi-with-mic" lnxsvr11 OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to lnxsvr11 [192.168.187.67] port 22. debug1: Connection established. debug1: identity file /mnt/home/matt/.ssh/identity type -1 debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1 debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version st...

RE: kinit: KRB5 error code 52 while getting initial credentials
Thanks for the update Will. I'll look into Solaris 10...> Date: Mon, 9 Jul= 2007 15:43:48 -0500> From: William.Fiveash@sun.com> To: rfbass16@hotmail.c= om> CC: kerberos@mit.edu> Subject: Re: kinit: KRB5 error code 52 while gett= ing initial credentials> > On Wed, Jul 04, 2007 at 05:56:56PM +0000, Ron Ba= ss II wrote:> > > > I'm getting the following error on a Solaris 8 machine:= kinit: KRB5> > error code 52 while getting initial credentials > > > > So = far my analysis shows this error to indicate the following: 0x34 -> > KRB_E= RR_RESPONSE_TOO_BIG - Too much data > > > > According to a number of forums= , some inheriant limitations exist with> > the Solaris 8 version of Kerbero= s concerning the number of group> > memberships a user may have. In my Acti= ve Directory, each user is a> > member of possibly many groups. To confirm = this, I created a simple> > user with only membership to "Domain Users" and= was able to run kinit> > without issue. Also, I seen a number of forums re= porting that the> > native version of Kerberos in Solaris 8 does not suppor= t TCP.> > Apparently by default, once the package size of a Kerberos ticket= > > reaches a specified max, TCP should be used.> > Support for TCP in Sola= ris Kerberos was introduced in Solaris 10.> > > I have the following Kerber= os packages loaded: SUNWk5pk kernel> ...

kinit(v5): KRB5 error code 68 while getting initial credentials
I have a huge Problem. Im trying to install a SSO for our Intranet-Webserver (Apache 2.0.55) on a SuSE Linux 10.0. Ist running very fine. But we have some Computers, which are NOT Part of the Active Directory Domain, so there the sso doesnt work. If the paste their Usernames into the Auth-Box (firstname.lastname@persona.de) it doesnt work. But the Useraccount exists in the AD. If they paste the real username (e.g. firstname.lastname@KONZERN.INTERN) it works fine. The problem: The user dont Know his real AD-Name. He knows just hier emailadress (firstname.lastname@persona.de) Anyone a solution? My krb5.conf "[libdefaults] default_realm = KONZERN.INTERN clockskew = 300 [realms] KONZERN.INTERN = { kdc = w2kroot.konzern.intern default_domain = konzern.intern admin_server = w2kroot } persona.de = { kdc = w2kroot.konzern.intern default_domain = konzern.intern admin_server = w2kroot } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .konzern.intern = KONZERN.INTERN [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 ...

RE: kinit: KRB5 error code 52 while getting initial credentials #2
Any chance the Kerberos libs from Solaris 10 can port back to Solaris 8? So= me limitations have arisen such that an upgrade to Solaris 10 is not possi= ble yet. Is there any way to patch the Solaris 8 Kerberos??? =20 Thanks Ron > Date: Wed, 11 Jul 2007 11:42:49 -0500> From: William.Fiveash@sun.com> To:= rfbass16@hotmail.com> CC: William.Fiveash@sun.com; kerberos@mit.edu> Subje= ct: Re: kinit: KRB5 error code 52 while getting initial credentials> > On W= ed, Jul 11, 2007 at 01:10:19AM +0000, Ron Bass II wrote:> > > > Thanks for = the update Will. I'll look into Solaris 10...> > Note that there have been = a number of updates (some security related)> released for Solaris 10 so mak= e sure you get the latest bits.> > -- > Will Fiveash> Sun Microsystems Inc.= > Austin, TX, USA (TZ=3DCST6CDT) _________________________________________________________________ Local listings, incredible imagery, and driving directions - all in one pla= ce! Find it! http://maps.live.com/?wip=3D69&FORM=3DMGAC01= ...

error : kinit(v5) : KRB5 error code 52 while getting initial credentials
Hello all, i am Sunil C. i have a domain named xx.com which has a KDC. i also have a domain co.yy where my server is. there is no KDC in it. users are in xx.com domain. but my servers are in (co.yy) domain. i had set up a test scenario with a user and a server in domain (xx.com). since KDc was setup i got ticket and was able to authenticate well using kerberos. my issue is that all my production servers are in domain (co.yy) which doesnt have a KDC. i want to authenticate and use the server services in that domain. setting up KDC is not feasible in both domains for me. now i have done some configuration in krb5.conf file on my server (test.co.yy) [domain_realm] xx.com = XX.COM ..xx.com = XX.COM co.yy = XX.COM ..co.yy = XX.COM this shows that my domain co.yy which doesnnot have a KDC , i have mapped it to the realm XX.COM . now i have some issues. 1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy) > ktpass -princ HTTP/test.co.yy@XX.COM 2) i somehow managed to get a keytab . i copied into Apache folder and executed the command. kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy@XX.COM password: xxxx error : kinit(v5) : KRB5 error code 52 while getting initial credentials Please help me understand what is this error.. is it some issue with domain mapping configuration in krb5.conf file? i am using kerberos 1.2.7 version. Thanks in advance Sunil C Sunil Chandrasekharan wrote: > Hello all, > i am Sunil C. i have a domain named...

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
Hi! I have set up a kerberos server srv.example.com. This server has address 192.168.180.30. Address resolution works fine on the server and client: srv.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # client.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # Now from the server: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials and from the client: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials I am a bit lost what's going on here. In /etc/krb5.conf I have: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { k...

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...