kerberos and Windows 2008R2Hello Kerberos List,
I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se=
rver.
I've created a user on windows and used the ktpass to generate the Kerberos=
keytab:
C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.=
COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K=
RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab
I did make sure that "User Kerberos DES encryption types for this account" =
was checked.
First I was getting:
root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host=
/jc1lqaldap.testdomain.com
kinit: KDC has no support for encryption type while getting initial credent=
ials
So I've checked "Do not require Kerberos preauthentication" and I get:
root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host=
/jc1lqaldap.testdomain.com
kinit: Key table entry not found while getting initial credentials
Where should that key table entry be located ?
I cannot go forward with this. Is there a way to get more verbose logging s=
o I can troubleshoot this.
Klist
root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- ----------------------------------------------------=
----
12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES c=
bc mode with RSA-MD5)
Cat /etc/krb5.conf
[logging]
default =3D FILE...
kinit: Key table entry not found while getting initial credentials #2Hello newsgroup,
We followed the instructions on http://grolmsnet.de/kerbtut/
kinit -k -t /etc/apache2/httpotrskeytab OTRS/
server.test.local@TEST.LOCAL
produces the following error:
kinit: Key table entry not found while getting initial credentials
we are using mit kerberos 1.9.1 on sles10
we created the keytabfile on windows 2008 r2 server with the following
command:
ktpass -princ OTRS/server.test.local@TEST.LOCAL -mapuser
httpotrs@TEST.LOCAL -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass
secretpassword -out c:\temp\httpotrskeytab
we copied the file to the linux server to /etc/apache2 directory
manual ticket creation works fine:
server:/ # kinit OTRS/server.test.local
Password for OTRS/server.test.local@TEST.LOCAL:
server:/ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: OTRS/server.test.local@TEST.LOCAL
Valid starting Expires Service principal
06/07/11 13:40:15 06/07/11 23:40:15 krbtgt/TEST.LOCAL@TEST.LOCAL
renew until 06/08/11 13:40:15
server:/ # kvno OTRS/server.test.local@TEST.LOCAL
OTRS/server.test.local@TEST.LOCAL: kvno =3D 11
any ideas what went wrong with our installation?
G=FCnter
g� <guenter.huerkamp@gmail.com> writes:
> Hello newsgroup,
>
> We followed the instructions on http://grolmsnet.de/kerbtut/
>
>
> kinit -k -t /etc/apache2/httpotrskeytab OTRS/
> server.test.local@TEST.LOCAL
> produces the following error:
> kinit: Key table entry not found while getting initial credenti...
kprop: Key table entry not found while getting initial ticketI try to take good notes so that I can reproduce my problems and
successes. This week is the first time I have ever touched kerberos. I
am using Red Hat ES3 and the default rpms.
The short of it:
kdb5_util dump /var/kerberos/krb5kdc/dump
kprop -f /var/kerberos/krb5kdc/dump mail.eamc.net
kprop: Key table entry not found while getting initial ticket
Now what?
My guess is that I am not asking for the correct ticket for kpropd. A
normal inetd.conf entry would be:
krb5_prop stream tcp nowait root /usr/kerberos/sbin/kpropd kpropd
My thinking is that the second kpropd is my principal. However, my
xinetd entry does not. I have tried it both ways so am sending
everything I have to the list.
I have also changed my logging from the basic stuff in RH to:
kdc = SYSLOG:INFO:LOCAL1
admin_server = SYSLOG:INFO:LOCAL2
hoping I would get more debug information, but no dice.
I have googled, read the docs in /usr/share/doc/krb5-server/ and done
this twice. I am very frustrated and would appreciate any help.
# cat /etc/xinetd.d/krb5_prop
# 2004-01-27 Jud Bishop
# description: kpropd is the propagation daemon for Kerberos
service krb5_prop
{
flags = KEEPALIVE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/kpropd
# server = /usr/kerberos/sbin/kpropd kpropd
# server_args = kpropd
enable = yes
}
How I got here:
Make sure you have NT...
aklog:Key table entry not found while getting AFS ticketsI an trying to automatically obtain the AFS tokens upon login on a Mac
10.2.6 system. I have successfully configured the kerberos v5 and the
OpenAFS 1.2.10 clients. I can login with kerberos and successfully
verify its ticket with the klist command. I can also execute klog,
obtain an AFS token and sucessfully access my AFS space. However, if I
login with kerberos and try to execute "aklog", I receive the
following messages:
aklog: Couldn't get asu.edu AFS tickets:
aklog:Key table entry not found while getting AFS tickets
Any ideas on how to resolve this problem? Thanks!
James
...
Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found)Hi guys,
I'm working about 3 days at this problem and I can't fix it and now I have no more ideas:
Customers environment:
Windowsdomain with DC where all Users are: contoso.local
Sless11 for Webapplication is in a domain: contoso.lan (this is not a Windowsdomain - just the server is configured for this
And thats the problem. I don't know - how to manage these two domains.
URL to access to the Webapplication is:
When I now try to access from a Windowsmachine wich is in the Domain contoso.local at URL http://sless11.contoso.lan/webapp there comes a 401 from the apach...
Key table entry not foundHello,
I'm setting up a test KDC running on Solaris 9. The version I'm
running is 5.1.3.1. I have successfully installed and setup my KDC
server. I have tested it out on RH9 and everything is working there,
as in being authenticated and such. I'm now trying to get kerberos
authentication to work on another Solaris 9 box. But am running into
problems.
On the Solaris 9 box I have modified the pam.conf file to kerberos,
copied the krb5.conf file from my kdc and ran kadmin as follows
kadmin - admin/admin
: ktadd host/machine_name.domain
: quit
When I tried to telnet into the system I got denied, the message in
/var/adm/messages on the client box said something about "Bad
encryption type". I found on the web to do ktadd the following:
kadmin -p admin/admin
: ktremove host/machine_name.domain
: ktadd -e des-cbc-crc:normal host/machine_name.domain
: quit
This got rid of the "Bad encryption type" error, but I am now getting
the following error in the messages file:
"Key table entry not found". I don't know if this is saying that its
not finding the machine keytab or my UID on the KDC server? Does
anyone have any help here?
Thanks...
------------------------------------------------------------------------
---------------------------
C. J. Keist Email: cj.keist@engr.colostate.edu
UNIX/Network Manager Phone: 970-491-0630
Engineering Network ...
Key table entry not found #3Hi the list,
I have two servers. One hosting a kerberos master and ldap master (server.lan) , one other hosting a kerberos slave and ldap replica (replica.lan). Kerberos is used by ldap for authentication SASL/GSSAPI.
The kerberos realm is SERVER.LAN. All was running. But since some time, i get error messages with ldapsearch command. With the debug activated, i get the following message of ldapsearch:
server:~ admin$ldapsearch -d 1 -b cn=mounts,dc=server,dc=lan
....
res_errno: 80, res_error:<SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Key table entry not found)>, res_matched:<>
....
(Remark : As information i provide the entire debug at the end of this
message)
Because of the message "keytable entry not found", i tried to use kadmin
and check if principle with root exists. But by using kadmin i get now
this message :
server:~ admin$ kadmin -proot@SERVER.LAN
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principalroot@SERVER.LAN with password.
Password forroot@SERVER.LAN:
kadmin: Communication failure with server while initializing kadmin interface
server:~ admin$
I check the logfile owner, group owner, and permission. Then i compared with one other kerberos server. Permission and owner was different. I set permission identically. But nothing was changed.
With kadmin.local i checked androot@SERVER.LAN exists in the list.
...
key table entry not found #2Hello ,
I have Virtual Network configured to use Kerberos authentication.The setup
is as follows:
Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com;
Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com;
Windows XP Prof. (client) (FQDN) zdravko.lab.com;
They are in the DNS lookup zone.I create one test user account for accessing
the client machine under given domain(lab.com).The user name is "achimtest1"
and its password never expires,and it's not going to be prompted for
changing.After that I create one "dummy" user which will be used for
SPN(service principal name mapping to it).It's called "http-test" and the
same flags are used as in "achimtest1" user + one more:"This account
supports AES 256 bit encryption".I continued with creating the keytab file:
c:\>ktpass /princ HTTP/debian.lab.com@LAB.COM /mapuser
http-test@lab.com/pass Debian26 /crypto AES256-SHA1 /ptype
KRB5_NT_SRV_HST /out
http-test.keytab
the keytab is successfully created and I have checked it with the following
command:c:\>setspn -L http-test->I have the service principal name:HTTP/
debian.lab.com registered to it.I copy the "http-test.keytab" file via pscp
to the Debian box in /etc/apache2/keytab/ directory.In /etc/hosts file in
Debian I've deleted "127.0.0.1" line and replaced it with:"192.168.100.103
debian.lab.com debian";192.168.100.103 is the linux box's IP.
In /etc/resolf...
Key table entry not found-this time with HeimdalHello,
this is the same setup like in my previous post from this month,but this
time I'm using heimdal-clients.I have removed all of the MIT packages that I
have installed: krb5-user,krb5-clients.
I have Virtual Network configured to use Kerberos authentication.The
setup is as follows:
Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com;
Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com;
Windows XP Prof. (client) (FQDN) zdravko.lab.com;
[Windows Server 2008 Settings]
They are in the DNS lookup zone.I create one test user account for
accessing the client machine under given
domain(lab.com).The user name is "zdravko1" and its password never
expires,and it's not going to be prompted for
changing.After that I create one "dummy" user which will be used for
SPN(service principal name mapping to it).It's called
"http" and the same flags are used as in "zdravko1":
-User cannot change password;
-Password never expires;
-This account supports AES 256 bit encryption;
I continued with creating the keytab file:
c:\>ktpass /princ HTTP/debian.lab.com@LAB.COM <http://lab.com/> /mapuser
http@LAB.COM
/pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out http.keytab
Keytab version: 0x502
keysize 78 HTTP/debian.lab.com@LAB.COM <http://lab.com/> ptype 1
(KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x......)
The keytab is successfully created and I have checke...
gss-server: Key table entry not foundHi,
I cannot get gss-server worked. I have tried adding (using addprinc and
ktadd) different combinations of name/host (klist -k confirms the successful
addition) but still getting the same error: key table entry not found. Can
you please tell me what entry it is looking for and how to resolve the
problem? If you need any information about my system in order to help,
kindly let me know. Thanks in advance.
Regards, David.
...
kinit: Preauthentication failed while getting initial credentialsHola, estoy intentando conectarme desde Ubuntu (Kerberos) a un
drectorio activo (Windows 2008) , pero tengo problemas.
Datos Tecnicos:
Dominio: NAME1.NAME2.COM
Mi krb5.conf
default =3D FILE:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime =3D 24000
default_realm =3D NAME1.NAME2.COM
[realms]
NAME1.NAME2.COM =3D {
kdc =3D dcwindows
admin_server =3D dcwindows
default_domain =3D NAME1.NAME2.COM
}
[domain_realm]
..name1.name2.com =3D NAME1.NAME2.COM
name1.name2.com =3D NAME1.NAME2.COM
Cuando intento hacer:
kinit -V Administrador@NAME1.NAME2.COM
e ingreso la contrase=F1a correctamente me arroja:
kinit: Preauthentication failed while getting initial credentials
Todo el problema inicio cuando reinstale el Windows 2008 Nuevamente
desde otro CD, no se si el problema es el Windows o la configuracion
del Kerberos.
Saludos.
2011/5/19 JODACAME <jodacame@gmail.com>:
> Cuando intento hacer:
> kinit -V Administrador@NAME1.NAME2.COM
> e ingreso la contraseña correctamente me arroja:
>
> kinit: Preauthentication failed while getting initial credentials
>
>
> Todo el problema inicio cuando reinstale el Windows 2008 Nuevamente
> desde otro CD, no se si el problema es el Windows o la configuracion
> del Kerberos.
Acaso re-instalaste y _re-creaste_ el dominio de Active Directory?
Podés re-instalar, pero tenés que recuperar los datos del dominio de
tus backups.
Nico
--
Hello. Are you sure that the admin user isn't called administ...
kinit: KRB5 error code 52 while getting initial credentials
I'm getting the following error on a Solaris 8 machine: kinit: KRB5 error c=
ode 52 while getting initial credentials=20
=20
So far my analysis shows this error to indicate the following: 0x34 - KRB_E=
RR_RESPONSE_TOO_BIG - Too much data=20
=20
According to a number of forums, some inheriant limitations exist with the =
Solaris 8 version of Kerberos concerning the number of group memberships a =
user may have. In my Active Directory, each user is a member of possibly m=
any groups. To confirm this, I created a simple user with only membership =
to "Domain Users" and was able to run kinit without issue.
Also, I seen a number of forums reporting that the native version of Kerber=
os in Solaris 8 does not support TCP. Apparently by default, once the pack=
age size of a Kerberos ticket reaches a specified max, TCP should be used.
=20
I have the following Kerberos packages loaded: SUNWk5pk kernel Kerbe=
ros V5 plug-in w/auth+privacy (32-bit) SUNWk5pkx kernel Kerberos V5 p=
lug-in w/auth+privacy (64-bit) SUNWk5pu user Kerberos V5 gss mechani=
sm w/auth+privacy (32-bit) SUNWk5pux user Kerberos V5 gss mechanism w=
/auth+privacy (64-bit)=20
=20
Are updated packages for Kerberos available for Solaris 8 environments that=
can handle support for Kerberos over TCP and having a large number of grou=
p memberships?
_________________________________________________________________
Local listings, incredible imagery, and driving directions - all in...
kinit: Cannot contact any KDC for requested realm while getting initial credentialsHi,
I am having problems with using kinit, with keytab and username/password.
When issuing the kinit command I get the following error:
kinit: Cannot contact any KDC for requested realm while getting initial
credentials
There is a firewall between the webservers where I issue the command from
and the domain controller.
The webservers are able to connect to the domain controller on port 88 over
UDP.
The webservers are able to resolve themselves and the domain controller,
both forward and reverse lookup.
Do any of you guys out there have an idea of what is going wrong?
Many thanks,
Celia
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
newbie: error getting credentials: Server not found in Kerberos databaseHi!
I never found the time to deal intensively with kerberos so please
indulge me if this is ought to be a stupid question:
kinit works. krsh does not:
krsh server
error getting credentials: Server not found in Kerberos database
trying normal rlogin (/usr/bin/rlogin)
So, this is what I did so far:
server:
/etc/krb5.conf:
[libdefaults]
default_realm = LOCALDOMAIN
[realms]
LOCALDOMAIN = {
kdc = server.localdomain:88
admin_server = server.localdomain:750
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/etc/hosts:
127.0.0.1 localhost
192.168.0.2 server server.localdomain
real hostname is actually *not* "server"!
kadmin.local:
addprinc foo
client:
/etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = LOCALDOMAIN
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
LOCALDOMAIN = {
kdc = server.localdomain:88
admin_server = server.localdomain:750
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FI...
"Key table entry not found while verifying ticket for server"This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig07FDE7C699B5FF20AD258797
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Just added a new system tonight to our Kerberos realm, and was getting
the following error when ksu'ing:
"ksu: Key table entry not found while verifying ticket for server"
Tried Googling for the error to no avail; what is the meaning of this
error and how do I clear it?
Best Wishes - Peter
--=20
Peter_Losher@isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow"
--------------enig07FDE7C699B5FF20AD258797
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFGtXWzPtVx9OgEjQgRAve6AJ97hWoo/FDyvCC27oHOamy1UiN6TQCfbcjm
8b550EYBPn8jKX8rHMDtmME=
=znqF
-----END PGP SIGNATURE-----
--------------enig07FDE7C699B5FF20AD258797--
...
kinit: KRB5 error code 52 while getting initial credentials #2
I'm getting the following error on a Solaris 8 machine: kinit: KRB5 error code 52 while getting initial credentials
So far my analysis shows this error to indicate the following: 0x34 - KRB_ERR_RESPONSE_TOO_BIG - Too much data
According to a number of forums, some inheriant limitations exist with the Solaris 8 version of Kerberos concerning the number of group memberships a user may have. In my Active Directory, each user is a member of possibly many groups. To confirm this, I created a simple user with only membership to "Domain Users" and was able to run kinit without issue.
Also, I seen a number of forums reporting that the native version of Kerberos in Solaris 8 does not support TCP. Apparently by default, once the package size of a Kerberos ticket reaches a specified max, TCP should be used.
I have the following Kerberos packages loaded: SUNWk5pk kernel Kerberos V5 plug-in w/auth+privacy (32-bit) SUNWk5pkx kernel Kerberos V5 plug-in w/auth+privacy (64-bit) SUNWk5pu user Kerberos V5 gss mechanism w/auth+privacy (32-bit) SUNWk5pux user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
Are updated packages for Kerberos available for Solaris 8 environments that can handle support for Kerberos over TCP and having a large number of group memberships?
_________________________________________________________________
Local listings, incredible imagery, and driving directions - all in one place! Find it!
http://maps.live.com/...
ssh gssapi-with-mic and "Key table entry not found"Hi,
I'm trying to get ssh working using gssapi-with-mic authentication. I have
about 40 machines running CentOS 5.7. (My bigger goal is to use NFSv4
mounts with "krb5p" security. All these machines mount the same NFSv4 share
(think home directories) so my users need to be able to forward their TGT
around.)
What I'm ultimately running into is sshd complaining "Key table entry not
found" on *most* of the servers---a random handful work, and I can't figure
out how the working ones are different.
So, here's an example: I'm trying to ssh from "lnxsvr3" to "lnxsvr11" using
gssapi-with-mic authentication.
Here's the output of trying to ssh:
[matt@lnxsvr3 ~]$ ssh -v -o"PreferredAuthentications
gssapi-with-mic" lnxsvr11
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to lnxsvr11 [192.168.187.67] port 22.
debug1: Connection established.
debug1: identity file /mnt/home/matt/.ssh/identity type -1
debug1: identity file /mnt/home/matt/.ssh/id_rsa type 1
debug1: identity file /mnt/home/matt/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version st...
RE: kinit: KRB5 error code 52 while getting initial credentials
Thanks for the update Will. I'll look into Solaris 10...> Date: Mon, 9 Jul=
2007 15:43:48 -0500> From: William.Fiveash@sun.com> To: rfbass16@hotmail.c=
om> CC: kerberos@mit.edu> Subject: Re: kinit: KRB5 error code 52 while gett=
ing initial credentials> > On Wed, Jul 04, 2007 at 05:56:56PM +0000, Ron Ba=
ss II wrote:> > > > I'm getting the following error on a Solaris 8 machine:=
kinit: KRB5> > error code 52 while getting initial credentials > > > > So =
far my analysis shows this error to indicate the following: 0x34 -> > KRB_E=
RR_RESPONSE_TOO_BIG - Too much data > > > > According to a number of forums=
, some inheriant limitations exist with> > the Solaris 8 version of Kerbero=
s concerning the number of group> > memberships a user may have. In my Acti=
ve Directory, each user is a> > member of possibly many groups. To confirm =
this, I created a simple> > user with only membership to "Domain Users" and=
was able to run kinit> > without issue. Also, I seen a number of forums re=
porting that the> > native version of Kerberos in Solaris 8 does not suppor=
t TCP.> > Apparently by default, once the package size of a Kerberos ticket=
> > reaches a specified max, TCP should be used.> > Support for TCP in Sola=
ris Kerberos was introduced in Solaris 10.> > > I have the following Kerber=
os packages loaded: SUNWk5pk kernel> ...
kinit(v5): KRB5 error code 68 while getting initial credentialsI have a huge Problem.
Im trying to install a SSO for our Intranet-Webserver (Apache 2.0.55) on
a SuSE Linux 10.0.
Ist running very fine.
But we have some Computers, which are NOT Part of the Active Directory
Domain, so there the sso doesnt work.
If the paste their Usernames into the Auth-Box
(firstname.lastname@persona.de) it doesnt work. But the Useraccount
exists in the AD.
If they paste the real username (e.g. firstname.lastname@KONZERN.INTERN)
it works fine.
The problem: The user dont Know his real AD-Name. He knows just hier
emailadress (firstname.lastname@persona.de)
Anyone a solution?
My krb5.conf
"[libdefaults]
default_realm = KONZERN.INTERN
clockskew = 300
[realms]
KONZERN.INTERN = {
kdc = w2kroot.konzern.intern
default_domain = konzern.intern
admin_server = w2kroot
}
persona.de = {
kdc = w2kroot.konzern.intern
default_domain = konzern.intern
admin_server = w2kroot
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[domain_realm]
.konzern.intern = KONZERN.INTERN
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
...
RE: kinit: KRB5 error code 52 while getting initial credentials #2Any chance the Kerberos libs from Solaris 10 can port back to Solaris 8? So=
me limitations have arisen such that an upgrade to Solaris 10 is not possi=
ble yet. Is there any way to patch the Solaris 8 Kerberos???
=20
Thanks
Ron
> Date: Wed, 11 Jul 2007 11:42:49 -0500> From: William.Fiveash@sun.com> To:=
rfbass16@hotmail.com> CC: William.Fiveash@sun.com; kerberos@mit.edu> Subje=
ct: Re: kinit: KRB5 error code 52 while getting initial credentials> > On W=
ed, Jul 11, 2007 at 01:10:19AM +0000, Ron Bass II wrote:> > > > Thanks for =
the update Will. I'll look into Solaris 10...> > Note that there have been =
a number of updates (some security related)> released for Solaris 10 so mak=
e sure you get the latest bits.> > -- > Will Fiveash> Sun Microsystems Inc.=
> Austin, TX, USA (TZ=3DCST6CDT)
_________________________________________________________________
Local listings, incredible imagery, and driving directions - all in one pla=
ce! Find it!
http://maps.live.com/?wip=3D69&FORM=3DMGAC01=
...
error : kinit(v5) : KRB5 error code 52 while getting initial credentialsHello all,
i am Sunil C. i have a domain named xx.com which has a KDC.
i also have a domain co.yy where my server is. there is no KDC in it.
users are in xx.com domain. but my servers are in (co.yy) domain.
i had set up a test scenario with a user and a server in domain
(xx.com).
since KDc was setup i got ticket and was able to authenticate well
using kerberos.
my issue is that all my production servers are in domain (co.yy) which
doesnt have a KDC.
i want to authenticate and use the server services in that domain.
setting up KDC is not feasible in both domains for me.
now i have done some configuration in krb5.conf file on my server
(test.co.yy)
[domain_realm]
xx.com = XX.COM
..xx.com = XX.COM
co.yy = XX.COM
..co.yy = XX.COM
this shows that my domain co.yy which doesnnot have a KDC , i have
mapped it to the realm XX.COM .
now i have some issues.
1) i tried to get a keytab from the KDC of XX.COM ( my server in
co.yy)
> ktpass -princ HTTP/test.co.yy@XX.COM
2) i somehow managed to get a keytab . i copied into Apache folder and
executed the command.
kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy@XX.COM
password: xxxx
error : kinit(v5) : KRB5 error code 52 while getting initial
credentials
Please help me understand what is this error..
is it some issue with domain mapping configuration in krb5.conf file?
i am using kerberos 1.2.7 version.
Thanks in advance
Sunil C
Sunil Chandrasekharan wrote:
> Hello all,
> i am Sunil C. i have a domain named...
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentialsHi!
I have set up a kerberos server srv.example.com. This server has
address 192.168.180.30. Address resolution works fine on the server
and client:
srv.example.com:
# host srv
srv.example.com has address 192.168.180.30
# host 192.168.180.30
30.180.168.192.in-addr.arpa domain name pointer srv.example.com.
# host client
client.example.com has address 192.168.180.6
# host 192.168.180.6
6.180.168.192.in-addr.arpa domain name pointer client.example.com
#
client.example.com:
# host srv
srv.example.com has address 192.168.180.30
# host 192.168.180.30
30.180.168.192.in-addr.arpa domain name pointer srv.example.com.
# host client
client.example.com has address 192.168.180.6
# host 192.168.180.6
6.180.168.192.in-addr.arpa domain name pointer client.example.com
#
Now from the server:
# kinit user
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials
and from the client:
# kinit user
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials
I am a bit lost what's going on here. In /etc/krb5.conf I have:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
EXAMPLE.COM = {
k...
AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentialsHi list,
kinit (krb5 1.4.2) on an AIX 5.3 gives me
# /usr/local/bin/kinit -k -t foobar.keytab
foobar/foo.example.net@EXAMPLE.NET
kinit(v5): Cannot resolve network address for KDC in requested realm
while getting initial credentials
From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
and foobar.keytab to AIX 5.3. The following steps don't defer to the
steps I did under Linux.
# ./configure --without-krb4 --enable-shared
# make && make install
Using gcc 3.3.2.
I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
as I see it is fixed in 1.4.2.
My krb5.conf looks like this:
[libdefaults]
default_realm = EXAMPLE.NET
clockskew = 300
[realms]
EXAMPLE.NET = {
kdc = foo.example.net:88
admin_server = foo.example.net:749
default_domain = example.net
kpasswd_server = foo.example.net
}
[domain_realm]
.example.net = EXAMPLE.NET
example.net = EXAMPLE.NET
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Trying to analyze with tcpdump I s...
Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher,
I had the exact same problem. I was given 2 patches for KRB
1.4.1 and it fixed the problem. I applied the patches to my 1.4.2
source and the problem is resolved there too. Here are the patches:
DNSGLUE.C Patch:
*** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005
--- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005
***************
*** 62,68 ****
--- 62,76 ----
char *host, int nclass, int ntype)
{
#if HAVE_RES_NSEARCH
+ #ifndef LANL
struct __res_state statbuf;
+ #else /* LANL */
+ #ifndef _AIX
+ struct __res_state statbuf;
+ #else /* _AIX */
+ struct { struct __res_state s; char pad[1024]; } statbuf;
+ #endif /* AIX */
+ #endif /* LANL */
#endif
struct krb5int_dns_state *ds;
int len, ret;
LOCATE_KDC.C Patch:
>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005
>--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005
>***************
>*** 267,275 ****
>--- 267,283 ----
> memset(&hint, 0, sizeof(hint));
> hint.ai_family = family;
> hint.ai_socktype = socktype;
>+ #ifndef LANL
> #ifdef AI_NUMERICSERV
> hint.ai_flags = AI_NUMERICSERV;
> #endif
>+ #else /* LANL */
>+ #ifndef _AIX
>+ #ifdef AI_NUMERICSERV
>+ hint.ai_flags = AI_NUMERICSERV;
>+ #endif
>+ #endif /* _AIX */
>+ #endif /* LANL */
> sprintf(portbuf, "%d", ntohs(port));
> sprintf(s...