f



LoginException: Cannot get kdc for realm

Hi to all.

We have a problem using JAAS for autenticating against Microsoft
Active Directory LDAP and a security service based on Microsoft
Kerberos V5.

We have a krb5.conf like this:

#
# All rights reserved.
#
#pragma ident   @(#)krb5.conf   1.1 00/12/08

[libdefaults]
        default_realm = AAA.IT.xxx.YYYY.COM

[realms]
        IT.XXX.YYYY.COM = {
            kdc = SERVER1:88
        }
        AAA.IT.XXX.YYYY.COM = {
            kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88
        }
        BBB.IT.XXX.YYYY.COM = {
            kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88
        }
        CCC.IT.XXX.YYYY.COM = {
            kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88
        }
        DDD.IT.XXX.YYYY.COM = {
            kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88
        }

[domain_realm]
        .bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM
        .aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM
        .it.xxx.yyyy.com = IT.XXX.YYYY.COM
        .ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM
        .ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM

We are developing under Oracle Application Server 10.1.3. We load
krb5.conf file in a servlet with this code:
System.setProperty("java.security.krb5.conf"..

We autenticate users with these calls:

lc = new LoginContext("MyLogin", new CallbackHandler(args));
lc.login();

We have deployed our web application under a test environment and
everything works. Now we are trying to go on production, where we have
the following error:


 javax.security.auth.login.LoginException: Cannot get kdc for realm
CC.IT.XXX.YYYY.COM
     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)

     at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)

     at sun.reflect.GeneratedMethodAccessor1909.invoke(Unknown Source)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

     at java.lang.reflect.Method.invoke(Method.java:585)

     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)...
 .....
 ....
 Caused by: KrbException: Cannot get kdc for realm CCC.IT.XXX.YYYY.COM

     at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)

     at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)

     at sun.security.krb5.KrbAsReq.send(DashoA12275:330)

     at sun.security.krb5.Credentials.acquireTGT(DashoA12275:369)

    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)

We have deployed another web application inside the same application
server that uses the same framework for autentication, that is the
same classes that we have developed for autentication. The other web
application works correctly, the only difference is that we have added
two more domains in krb5.conf that is deployed with each web
application.

Using kinit the autentication works for the added domains.

Does anyone has some suggestion to solve this problem?

Thanks in advance.
Best Regards,
Giuseppe
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
5/30/2007 4:29:44 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
795 Views

Similar Articles

[PageSpeed] 17

Hi,

    I believe the domain name in the section,
domain_realm is case-sensitive. Add the following
entry and try again

[domain_realm]
...............
..CCC.IT.XXX.YYYY.COM = CCC.IT.XXX.YYYY.COM
..................

Thanks,
Preetam

--- Giuseppe Catalano <gpcatalano@gmail.com> wrote:

> Hi to all.
> 
> We have a problem using JAAS for autenticating
> against Microsoft
> Active Directory LDAP and a security service based
> on Microsoft
> Kerberos V5.
> 
> We have a krb5.conf like this:
> 
> #
> # All rights reserved.
> #
> #pragma ident   @(#)krb5.conf   1.1 00/12/08
> 
> [libdefaults]
>         default_realm = AAA.IT.xxx.YYYY.COM
> 
> [realms]
>         IT.XXX.YYYY.COM = {
>             kdc = SERVER1:88
>         }
>         AAA.IT.XXX.YYYY.COM = {
>             kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88
>         }
>         BBB.IT.XXX.YYYY.COM = {
>             kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88
>         }
>         CCC.IT.XXX.YYYY.COM = {
>             kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88
>         }
>         DDD.IT.XXX.YYYY.COM = {
>             kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88
>         }
> 
> [domain_realm]
>         .bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM
>         .aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM
>         .it.xxx.yyyy.com = IT.XXX.YYYY.COM
>         .ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM
>         .ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM
> 
> We are developing under Oracle Application Server
> 10.1.3. We load
> krb5.conf file in a servlet with this code:
> System.setProperty("java.security.krb5.conf"..
> 
> We autenticate users with these calls:
> 
> lc = new LoginContext("MyLogin", new
> CallbackHandler(args));
> lc.login();
> 
> We have deployed our web application under a test
> environment and
> everything works. Now we are trying to go on
> production, where we have
> the following error:
> 
> 
>  javax.security.auth.login.LoginException: Cannot
> get kdc for realm
> CC.IT.XXX.YYYY.COM
>      at
>
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
> 
>      at
>
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
> 
>      at
>
sun.reflect.GeneratedMethodAccessor1909.invoke(Unknown
> Source)
> 
>     at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 
>      at
> java.lang.reflect.Method.invoke(Method.java:585)
> 
>      at
>
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> 
>      at
>
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> 
>      at
>
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)...
>  .....
>  ....
>  Caused by: KrbException: Cannot get kdc for realm
> CCC.IT.XXX.YYYY.COM
> 
>      at
> sun.security.krb5.KrbKdcReq.send(DashoA12275:133)
> 
>      at
> sun.security.krb5.KrbKdcReq.send(DashoA12275:106)
> 
>      at
> sun.security.krb5.KrbAsReq.send(DashoA12275:330)
> 
>      at
>
sun.security.krb5.Credentials.acquireTGT(DashoA12275:369)
> 
>     at
>
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
> 
> We have deployed another web application inside the
> same application
> server that uses the same framework for
> autentication, that is the
> same classes that we have developed for
> autentication. The other web
> application works correctly, the only difference is
> that we have added
> two more domains in krb5.conf that is deployed with
> each web
> application.
> 
> Using kinit the autentication works for the added
> domains.
> 
> Does anyone has some suggestion to solve this
> problem?
> 
> Thanks in advance.
> Best Regards,
> Giuseppe
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



 
____________________________________________________________________________________
TV dinner still cooling? 
Check out "Tonight's Picks" on Yahoo! TV.
http://tv.yahoo.com/
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
5/31/2007 4:02:34 AM
Reply:

Similar Artilces:

MIT Kerberos: Cannot resolve network address for KDC in realm
Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ============= [libdefaults] dns_lookup_realm = false default_realm = ALEZEO.COM ticket_lifetime = 600 kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [kdc] profile = /krb5/var/krb5kdc/kdc.conf [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/krb5/adm.log [realms] ALEZEO.COM = { kdc = dsldap01.alezeo.com:88 admin_server = dsldap01.alezeo.com:749 default_domain = alezeo.com } [domain_realm] .alezeo.com = ALEZEO.COM alezeo.com = ALEZEO.COM [login] krb4_convert = 0 Here is my kdc.conf ============ [kdcdefaults] kdc_ports = 88 [realms] alezeo.com = { ...

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket_lifetime = 7d [appdefaults] forwardable = yes [domain_realm] .foo.com = RCF.FOO.COM [realms] RCF.FOO.COM = { kdc = rcf-kdc1.foo.com kdc = rcf-kdc2.foo.com kdc = rcf-kdc3.foo.com admin_server = rcf-kdc1.foo.com } [logging] kdc = FILE:/var/adm/krb5kdc.log admin_server = FILE:/var/adm/kadmin.log default = FILE:/var/adm/krb5lib.log rcf-kdc1# uname -n rcf-kdc1.foo.com rcf-kdc1# nslookup rcf-kdc1.foo.com Server: 1xx.xx.xx.xxx Address: 1xx.xx.xx.xxx#53 Name: rcf-kdc1.foo.com Address: 1xx.xx.xx.yyy rcf-kdc1# kinit -p jblaine kinit(v5): Cannot contact any KDC for realm 'RCF.FOO.COM' while getting initial credentials rcf-kdc1# ps -ef | grep krb5kdc root 6837 1 0 13:21 ? 00:00:00 /var/rcf-kdc1-krb5/sbin/krb5kdc root 14166 2856 0 16:57 pts/0 00:00:00 grep krb5kdc...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Cannot resolve network address for KDC in requested realm while getting initial credentials
On Red Hat linux 2.4.9 krb5-devel-1.2.2-24 krb5-libs-1.2.2-24 krb5-server-1.2.2-24 krb5-workstation-1.2.2-24 running everything on the local host I can run kinit.just fine: kinit test Password for test@host.COM: I can create a keytab file: kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5test test Entry for principal test with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. Entry for principal test with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. However, I can't kinit using this keytab file: [root@host/var/kerberos/krb5kdc]$ kinit -k kadm5test kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials klist shows: [root@bde-idm3 /var/kerberos/krb5kdc]$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@BDE-IDM3.US.ORACLE.COM Valid starting Expires Service principal 01/20/05 14:53:59 01/21/05 00:53:59 krbtgt/HOST.COM@HOST.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached A secondary problem is now the password seems to have been changed after creating the keytab, and I can no longer kinit (without the keytab): [root@host /var/kerberos/krb5kdc]$ kinit test Password for test@host.US.ORACLE.COM: kinit(v5): Password incorrect while getting initial credentials For testing purposes I'm using my hostname as my realm name. I&#...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
Hi! I have set up a kerberos server srv.example.com. This server has address 192.168.180.30. Address resolution works fine on the server and client: srv.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # client.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # Now from the server: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials and from the client: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials I am a bit lost what's going on here. In /etc/krb5.conf I have: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { k...

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

Kerberos KDC
Hello All, I am trying to set up a Kerberos 5 KDC on my servers. I run Windows IIS 6.0 and our management does not want to use Kerberos through AD. I was wondering if anyone could help me on where to start. Thanks in advance ...

Solaris 10 Kerberos KDC ignores settings in kdc.conf
I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility shows the two life period exactly as the above number. If you change and save the changes, next time you run gkadmin, the old values come back. Has anyone seen the same behavior? And how to fix it? MIT Kerberos works fine, but to utilize Sun's PAM migration module for our existing user base (900 users), I need to run Sun's at least when we are migrating users. Applying Sun's Kerberos patch 120469-07 did not fix the problem. TIA, Qing Chang ...

gets gets
I'm a little surprised at this. In irb, I tried puts gets gets. Why? I don't know. but basically, gets gets, seems to almost act like a heredoc! myString = gets gets puts myString On Mar 26, 2007, at 3:17 AM, John Joyce wrote: > I'm a little surprised at this. > In irb, I tried puts gets gets. > Why? I don't know. > but basically, gets gets, seems to almost act like a heredoc! > myString = gets gets > puts myString It's not surprising at all. First, let's insert the parentheses so we can see it as Ruby does: puts(gets(gets())) Now we see th...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mwang@SYSTEST.abc.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1023 Default principal: mwang@SYSTEST.abc.COM Valid starting Expires Service principal 10/31/03 17:53:08 11/01/03 03:50:48 krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM renew until 11/01/03 17:53:08 Kerberos 4 ticket cache: /tmp/tkt1023 klist: You have no tickets cached ===========> Then I tried to run adduser program, I made a little change to the code to set some default values. Here is the result: (New user account is: nweuser) LDAP service name: ldap@bloomber-vy45cz.systest.abc.com ==> client_establish_context Sending init_sec_context token (size=1254)... 60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 52...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

MIT Kerberos production realm = mirror/copy to a test/dev realm?
Greetings, The production Kerberos realm is decades old. Never had a �real� test/development realm until now. Don�t ask! How to best create or mirror an existing realm of all principals and all their information, except its under a new realm for testing of all that is to be implemented in the future? My thinking with what I know its not possible considering how everything is meshed in a combination of realm/passwords/salts�etc. But I ask just in case I am missing something. Insights? Thank you, Tareq _____ Tareq.Alrashid@CASE.EDU ITS Middleware - 10900 Euclid Avenue, Crawford 422 Cleveland, OH 44106-7072 U.S.A. ...

Solaris 10 Kerberos KDC ignores settings in /etc/krb5/kdc.conf
Greeting, sorry if I sent this in twice. I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility shows the two life period exactly as the above number. If you change and save the changes, next time you run gkadmin, the old values come back. Has anyone seen the same behavior? And how to fix it? MIT Kerberos works fine, but to utilize Sun's PAM migration module for our existing user base (900 users), I need to run Sun's at least when we are migrating users. Applying Sun's Kerberos patch 120469-07 did not fix the problem. TIA, Qing Chang ...

Understanding cross-realm ticket flow
Hello there, I'm currently trying to get cross-realm authentication working with a one-way active directory trust that involves a service principal in the trusting realm running apache with mod_auth_kerb. The setup uses 2 W2K3 R2 domain controllers which have a 1-way trust. Realm (domain) LABS.A.COM trusts realm (domain) CORP.A.COM - it is an external (non-transitive) trust. Inside of LABS.A.COM I have an apache server configured using mod_auth_kerb named support.labs.a.com with a service principal created for HTTP/support.labs.a.com@LABS.A.COM setup properly on the domain controller (at least I think it is). The reasoning behind my belief that it is set up properly is that kerberos authentication works for user principals that are in the LABS.A.COM realm. The web server is running CentOS 4.6 and apache was installed with mod_auth_kerb using the CentOS installer rather than being built afterward. In other words, "default CentOS distro options and versions" for apache and mod_auth_kerb. The problem I am seeing (or maybe misunderstanding) is that when user principals in the CORP.A.COM realm try to authenticate (using Internet Explorer 6) the AS-REQ and AS-RES seem to work out swimmingly. The TGS-REQ is where things seem to go bad. The TGS-REQ seems to be asking the TGS for a service ticket for the principal HTTP/support.labs.a.com@CORP.A.COM, rather than HTTP/support.labs.a.com@LABS.A.COM. This is where things are still a little fuzzy for me as I am new to k...

KDC: cannot initialize realm
Hi. I've got a problem in my slave KDC. I've set up time ago a slave kdc with a cron job from the master that dumps the database on a file, and makes the slave load it, all with ssh root tickets. Now the slave isn't working anymore: plm:~# /etc/init.d/krb5-kdc start Starting Kerberos KDC: krb5kdc: cannot initialize realm DIA.UNIROMA3.IT krb5kdckrb524d: Invalid argument initializing kadm5 library krb524d. plm:~# *NO* other output than that. What is it? -- Sensei <mailto:senseiwa@tin.it> The optimist says "Tomorrow is sunday". The pessimist says "The day after tomorrow is monday". (Gustave Flaubert) Sensei wrote: > > *NO* other output than that. What is it? > It happens also when running alone # krb5kdc or # krb524d What's the problem??? Please, I find it REALLY strange! It worked since two/three weeks ago! -- Sensei <mailto:senseiwa@tin.it> The optimist says "Tomorrow is sunday". The pessimist says "The day after tomorrow is monday". (Gustave Flaubert) ...

Cannot contact any KDC for realm
During boot of my system (Debian Wheezy) k5start is invoked to supply a ticket for accessing the AD DC by nslcd. However, during boot it fails: k5start: error getting credentials: Cannot contact any KDC for realm 'MY.AD.REALM' If I restart k5start using the very same init script once the system is up and running everything works nicely. On another system I neither have any issues using a similar boot stack. What exactly does this message want to tell me, i.e. where do I start troubleshooting? Thanks for your help, - lars. ...

Kerberos Administration Protocol
Hi, I'm looking for an open source Java implementation for the Kerberos administration protocol, for changing password, getprinc, delete_principal and so on. The main goals for kadmin, for the MIT implementation. Are there any libraries? If no, I would try to do an adHoc implementation. Are there documents? The only draft that I can see is http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 Thanks, Massimiliano > Date: Tue, 02 Jun 2009 15:28:32 +0200 > To: kerberos@mit.edu > From: "max@mascanc.net" <max@mascanc.net> > Subject: Kerberos Administration Protocol > > Hi, > > I'm looking for an open source Java implementation for the Kerberos > administration protocol, for changing password, getprinc, > delete_principal and so on. The main goals for kadmin, for > the MIT implementation. > > Are there any libraries? > > If no, I would try to do an adHoc implementation. Are there > documents? The only draft that I can see is > > http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 > > Thanks, > > > Massimiliano As it happens, I do have something that might be the start at this. It could stand a bit more "polishing" before being released, and at the moment, it's not on our priority list. If this is something of interest to you, we should certainly talk. You won't be at afsbpw 2009, by any chance? What I have ...

Variable kdc on kerberos.
Hi All, is there a way to set a variable, instead of a constant on the kerberos config file under the kdc option? I've a lot of Active Directory on my network, so if I want contact the closer one I've to use variables to retrieve informations of our local Dns. Many thanks ...

multiple realms KDC
Hi, I need some advice. I have multiple realms =C2=A0and have =C2=A0LDAP ba= ckend. Should I have one KDC instance serving multiple realms, or should I =C2=A0c= reate multiple KDC instances, each severing =C2=A0a single realm? Which one method is correct way? Thanks for your advice. Jim ...

Kerberos: about account in realm
Dear folks: I am a graduate student of EECS, National Taiwan University, R.O.C. My name is Chi-Chia, Lin. I'm now trying to use Kerberos services, but I encounter a problem getting an account in remote realm ATHENA.MIT.EDU. I have downloaded leash and installed it. My windows 2000 professional has also set to the domain of the realm by ksetup. Now all I need is an account to login the realm and get a ticket for my communication. Please tell me how to get an account there? I searched the web but I always find the messages such as "Please contact your network administrator" or simply "you need an account in the realm". Thank you for your attention! Please help me! Best regards, Chi-Chia, Lin Network database lab institute of EECS, NTU Chi-Chia, Lin nuspran@arbor.ee.ntu.edu.tw -- Open WebMail Project (http://openwebmail.org) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos You have to be a member of the MIT community in order to obtain an account within MIT's realm. If you wish to use Kerberos you must use a realm that is manages by someone that knows you and will be willing to share a secret with you. Jeffrey Altman nuspran wrote: > Dear folks: > I am a graduate student of EECS, National Taiwan University, R.O.C. > My n...

Web resources about - LoginException: Cannot get kdc for realm - comp.protocols.kerberos

Resources last updated: 3/10/2016 10:08:36 PM