f



Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

Christopher,

	I had the exact same problem.  I was given 2 patches for KRB
1.4.1 and it fixed the problem.  I applied the patches to my 1.4.2
source and the problem is resolved there too.  Here are the patches:

DNSGLUE.C Patch:

*** ./src/lib/krb5/os/dnsglue.c.orig    Fri Jan 14 17:10:53 2005
--- ./src/lib/krb5/os/dnsglue.c Thu May  5 11:39:52 2005
***************
*** 62,68 ****
--- 62,76 ----
                 char *host, int nclass, int ntype)
   {
   #if HAVE_RES_NSEARCH
+ #ifndef LANL
       struct __res_state statbuf;
+ #else   /* LANL */
+ #ifndef _AIX
+     struct __res_state statbuf;
+ #else   /* _AIX */
+     struct { struct __res_state s; char pad[1024]; } statbuf;
+ #endif  /* AIX */
+ #endif  /* LANL */
   #endif
       struct krb5int_dns_state *ds;
       int len, ret;

LOCATE_KDC.C Patch:

>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May  5 08:06:45 2005
>--- ./src/lib/krb5/os/locate_kdc.c      Thu May  5 11:34:27 2005
>***************
>*** 267,275 ****
>--- 267,283 ----
>       memset(&hint, 0, sizeof(hint));
>       hint.ai_family = family;
>       hint.ai_socktype = socktype;
>+ #ifndef LANL
>   #ifdef AI_NUMERICSERV
>       hint.ai_flags = AI_NUMERICSERV;
>   #endif
>+ #else   /* LANL */
>+ #ifndef _AIX
>+ #ifdef AI_NUMERICSERV
>+     hint.ai_flags = AI_NUMERICSERV;
>+ #endif
>+ #endif  /* _AIX */
>+ #endif  /* LANL */
>       sprintf(portbuf, "%d", ntohs(port));
>       sprintf(secportbuf, "%d", ntohs(secport));
>       err = getaddrinfo (hostname, portbuf, &hint, &addrs);

Credit goes to Milton Turley <mturley@lanl.gov> for the patches and
assistance...

Let me know if it works for you...

Lamar

------------------------------------------------------------------------
-----------------------

Date: Tue, 08 Nov 2005 20:12:27 +0100
From: Christoph Weizen <cwei@gmx.net>
To: kerberos@MIT.EDU
Subject: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in
	requested
Message-ID: <dkqtao$ur0$05$1@news.t-online.com>
Precedence: list
Message: 1

Hi list,

kinit (krb5 1.4.2) on an AIX 5.3 gives me
# /usr/local/bin/kinit -k -t foobar.keytab
foobar/foo.example.net@EXAMPLE.NET
kinit(v5): Cannot resolve network address for KDC in requested realm
while getting initial credentials

 From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
and foobar.keytab to AIX 5.3. The following steps don't defer to the
steps I did under Linux.

# ./configure --without-krb4 --enable-shared
# make && make install

Using gcc 3.3.2.
I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
as I see it is fixed in 1.4.2.

My krb5.conf looks like this:
[libdefaults]
         default_realm = EXAMPLE.NET
         clockskew = 300

[realms]
         EXAMPLE.NET = {
                 kdc = foo.example.net:88
                 admin_server = foo.example.net:749
                 default_domain = example.net
                 kpasswd_server = foo.example.net
         }

[domain_realm]
         .example.net = EXAMPLE.NET
         example.net = EXAMPLE.NET

[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log

[appdefaults]
         pam = {
                 ticket_lifetime = 1d
                 renew_lifetime = 1d
                 forwardable = true
                 proxiable = false
                 retain_after_close = false
                 minimum_uid = 0
                 debug = false
         }

Trying to analyze with tcpdump I see that DNS query A, AAAA, AAAA with
double of my domainname - and then again from the beginning.
A record is answered correctly, AAAA can't (no ipv6).

13:00:09.595177 10.20.30.56.41629 > bar.example.net.domain: [udp sum ok]

  65423+ A? foo.example.net. (34) (ttl 30, id 30399, len 62)
13:00:09.595729 bar.example.net.domain > 10.20.30.56.41629: [udp sum ok]

  65423* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net

ns: example.net. NS bar.example.net., example.net. NS bar2.example.net.
ar: bar.example.net. A bar.example.net, bar2.example.net. A
bar2.example.net (128) (ttl 30, id 35101, len 156)
13:00:09.597500 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]

  65424+ AAAA? foo.example.net. (34) (ttl 30, id 30400, len 62)
13:00:09.597886 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]

  65424* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)

(ttl 30, id 35102, len 115)
13:00:09.597928 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]

  65425+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30401, len
70)
13:00:09.598273 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]

  65425 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
259200 86400 (95) (ttl 30, id 35103, len 123)
13:00:09.600003 10.20.30.56.41631 > bar.example.net.domain: [udp sum ok]

  65426+ A? foo.example.net. (34) (ttl 30, id 30402, len 62)
13:00:09.600473 bar.example.net.domain > 10.20.30.56.41631: [udp sum ok]

  65426* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net

ns: example.net. NS bar2.example.net., example.net. NS bar.example.net.
ar: bar.example.net. A bar.example.net, bar2.example.net. A
bar2.example.net (128) (ttl 30, id 35104, len 156)
13:00:09.602076 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]

  65427+ AAAA? foo.example.net. (34) (ttl 30, id 30403, len 62)
13:00:09.602478 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]

  65427* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)

(ttl 30, id 35105, len 115)
13:00:09.602520 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]

  65428+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30404, len
70)
13:00:09.602894 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]

  65428 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
259200 86400 (95) (ttl 30, id 35106, len 123)

Upto here, Linux contacts my KDC, AIX 5.3 not. "Cannot resolve network
address for KDC..."

Did I miss something?

cheers,
Christoph

Privileged and Confidential.  This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information.  If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail.  You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
11/9/2005 10:18:17 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
766 Views

Similar Articles

[PageSpeed] 28

Hi Lamar,

I applied the two patches, and it works - thanks a lot!
Donn Cave send a similar working patch: ;)

    Donn Cave, donn@u.washington.edu
-----------------------------------
*** include/fake-addrinfo.h.dist        Wed Jun  1 12:24:32 2005
--- include/fake-addrinfo.h     Fri Aug 12 09:10:48 2005
***************
*** 1193,1199 ****
          a known service name for tcp or udp (as appropriate), an error
          code (for "host not found") is returned.  If the port maps to a
          known service for both udp and tcp, all is well.  */
!     if (serv && serv[0] && isdigit(serv[0])) {
         unsigned long lport;
         char *end;
         lport = strtoul(serv, &end, 10);
--- 1193,1208 ----
          a known service name for tcp or udp (as appropriate), an error
          code (for "host not found") is returned.  If the port maps to a
          known service for both udp and tcp, all is well.  */
!     /*
!     **
!     **  However, where AI_NUNERICSERV is defined (AIX 5) and was
specified,
!     **  this is unneeded and and broken - "discard" is not numeric.
!     */
!     if (serv && serv[0]
! #ifdef AI_NUMERICSERV
!              && !(hint->ai_flags & AI_NUMERICSERV)
! #endif
!              && isdigit(serv[0])) {
         unsigned long lport;
         char *end;
         lport = strtoul(serv, &end, 10);

cheers,
Christoph

Lamar.Saxon@americredit.com wrote:
> Christopher,
> 
> 	I had the exact same problem.  I was given 2 patches for KRB
> 1.4.1 and it fixed the problem.  I applied the patches to my 1.4.2
> source and the problem is resolved there too.  Here are the patches:
> 
> DNSGLUE.C Patch:
> 
> *** ./src/lib/krb5/os/dnsglue.c.orig    Fri Jan 14 17:10:53 2005
> --- ./src/lib/krb5/os/dnsglue.c Thu May  5 11:39:52 2005
> ***************
> *** 62,68 ****
> --- 62,76 ----
>                  char *host, int nclass, int ntype)
>    {
>    #if HAVE_RES_NSEARCH
> + #ifndef LANL
>        struct __res_state statbuf;
> + #else   /* LANL */
> + #ifndef _AIX
> +     struct __res_state statbuf;
> + #else   /* _AIX */
> +     struct { struct __res_state s; char pad[1024]; } statbuf;
> + #endif  /* AIX */
> + #endif  /* LANL */
>    #endif
>        struct krb5int_dns_state *ds;
>        int len, ret;
> 
> LOCATE_KDC.C Patch:
> 
> 
>>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May  5 08:06:45 2005
>>--- ./src/lib/krb5/os/locate_kdc.c      Thu May  5 11:34:27 2005
>>***************
>>*** 267,275 ****
>>--- 267,283 ----
>>      memset(&hint, 0, sizeof(hint));
>>      hint.ai_family = family;
>>      hint.ai_socktype = socktype;
>>+ #ifndef LANL
>>  #ifdef AI_NUMERICSERV
>>      hint.ai_flags = AI_NUMERICSERV;
>>  #endif
>>+ #else   /* LANL */
>>+ #ifndef _AIX
>>+ #ifdef AI_NUMERICSERV
>>+     hint.ai_flags = AI_NUMERICSERV;
>>+ #endif
>>+ #endif  /* _AIX */
>>+ #endif  /* LANL */
>>      sprintf(portbuf, "%d", ntohs(port));
>>      sprintf(secportbuf, "%d", ntohs(secport));
>>      err = getaddrinfo (hostname, portbuf, &hint, &addrs);
> 
> 
> Credit goes to Milton Turley <mturley@lanl.gov> for the patches and
> assistance...
> 
> Let me know if it works for you...
> 
> Lamar
0
cwei (25)
11/10/2005 7:21:59 PM
Reply:

Similar Artilces:

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

Cannot resolve network address for KDC in requested realm while getting initial credentials
On Red Hat linux 2.4.9 krb5-devel-1.2.2-24 krb5-libs-1.2.2-24 krb5-server-1.2.2-24 krb5-workstation-1.2.2-24 running everything on the local host I can run kinit.just fine: kinit test Password for test@host.COM: I can create a keytab file: kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5test test Entry for principal test with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. Entry for principal test with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. However, I can't kinit using this keytab file: [root@host/var/kerberos/krb5kdc]$ kinit -k kadm5test kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials klist shows: [root@bde-idm3 /var/kerberos/krb5kdc]$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@BDE-IDM3.US.ORACLE.COM Valid starting Expires Service principal 01/20/05 14:53:59 01/21/05 00:53:59 krbtgt/HOST.COM@HOST.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached A secondary problem is now the password seems to have been changed after creating the keytab, and I can no longer kinit (without the keytab): [root@host /var/kerberos/krb5kdc]$ kinit test Password for test@host.US.ORACLE.COM: kinit(v5): Password incorrect while getting initial credentials For testing purposes I'm using my hostname as my realm name. I&#...

krb5 1.6 beta 3 on Debian Lenny : kinit(v5): Cannot resolve network address for KDC in realm
I have an issue standing, where I am unable to kinit to get my Krb5 TGT locally on the KDC, but have no problems doing the same on one of my client machines. I don't care too much about this issue for as long as we talk Kerberos credentials on the server itself, however I am really puzzled by this behaviour ... Whenever I execute: kinit <user> I get: kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while getting initial credentials My /etc/resolv.conf looks like this: domain example.com search example.com nameserver 127.0.0.1 My /etc/hostname looks like this: 127.0.0.1 localhost My /etc/krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.COM ticket_lifetime = 12h renew_lifetime = 7d dns_fallback = no kdc_timesync = 3 ccache_type = 4 renewable = true forwardable = true forward = true proxiable = true noaddresses = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-c...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Believe it or not; both solutions seem to work and compilation succeeds ! #define GET_HOST_BY_NAME(NAME, HP, ERR, TMP) \ { \ (HP) = (gethostbyname_r((NAME), &TMP.ent, &TMP.data) \ ? 0 \ : &TMP.data); \ (ERR) = h_errno; \ } Worked and so did... #define GET_HOST_BY_NAME(NAME, HP, ERR, TMP) \ { \ struct hostent my_h_ent; \ (HP) = (gethostbyname_r((NAME), &TMP.ent, &TMP.data) \ ? 0 \ : &my_h_ent); \ (ERR) = h_errno; \ } Thanks for the help ! I will continue testing with my current install base on AIX. I really appreciate the rapid responses and solutions ! Lamar -----Original Message----- From: Ken Raeburn [mailto:raeburn@MIT.EDU] Sent: Monday, September 18, 2006 5:13 PM To: Marcus Watts Cc: Saxon, Lamar; kerberos@mit.edu Subject: Re: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3 On Sep 18, 2006, at 17:56, Marcus Watts wrote: > Lamar.Saxon@americredit.com writes: > ... >> making all in util... >> making all in util/support... >> cc -I../../include -...

Cannot resolve network address for KDC in requested realm while
Dear sir, When I join the windows 2003 domain using the command kinit, while I am getting the error "cannot resolve network address for KDC is requested realm while getting initial credentials" Another one when I join the windows 2003 domain using the command " net ads join -U administrator" I am getting following error "utils/net_ads.c:ads_startup(186) ads_connect:No such file (or) directory" So kindly send the mail How to rectify this problem. With Regards R.Balaji ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Cannot contact any KDC for requested realm while getting initial credentials
Hi all, I'm having a very strange problem below that I cannot figure out. Any advice would be great to hear. First a block showing the problem, then a block showing that a different machine works perfectly fine (and others I've tested but not showing here for briefness). Basically, the master KDC, rcf-kdc1.foo.com, can't seem to do jack. ============================================================ rcf-kdc1# grep hosts /etc/nsswitch.conf hosts: files dns rcf-kdc1# rcf-kdc1# cat /etc/krb5.conf [libdefaults] default_realm = RCF.FOO.COM forwardable = yes ticket_lifetime = 7d [appdefaults] forwardable = yes [domain_realm] .foo.com = RCF.FOO.COM [realms] RCF.FOO.COM = { kdc = rcf-kdc1.foo.com kdc = rcf-kdc2.foo.com kdc = rcf-kdc3.foo.com admin_server = rcf-kdc1.foo.com } [logging] kdc = FILE:/var/adm/krb5kdc.log admin_server = FILE:/var/adm/kadmin.log default = FILE:/var/adm/krb5lib.log rcf-kdc1# uname -n rcf-kdc1.foo.com rcf-kdc1# nslookup rcf-kdc1.foo.com Server: 1xx.xx.xx.xxx Address: 1xx.xx.xx.xxx#53 Name: rcf-kdc1.foo.com Address: 1xx.xx.xx.yyy rcf-kdc1# kinit -p jblaine kinit(v5): Cannot contact any KDC for realm 'RCF.FOO.COM' while getting initial credentials rcf-kdc1# ps -ef | grep krb5kdc root 6837 1 0 13:21 ? 00:00:00 /var/rcf-kdc1-krb5/sbin/krb5kdc root 14166 2856 0 16:57 pts/0 00:00:00 grep krb5kdc...

MIT Kerberos: Cannot resolve network address for KDC in realm
Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ============= [libdefaults] dns_lookup_realm = false default_realm = ALEZEO.COM ticket_lifetime = 600 kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [kdc] profile = /krb5/var/krb5kdc/kdc.conf [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/krb5/adm.log [realms] ALEZEO.COM = { kdc = dsldap01.alezeo.com:88 admin_server = dsldap01.alezeo.com:749 default_domain = alezeo.com } [domain_realm] .alezeo.com = ALEZEO.COM alezeo.com = ALEZEO.COM [login] krb4_convert = 0 Here is my kdc.conf ============ [kdcdefaults] kdc_ports = 88 [realms] alezeo.com = { ...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> cc: Sent by: Subject: validating keytab files: Cannot find KDC for requested realm kerberos-bounces@mit. whilegetting initial credentials edu 10/26/2004 04:39 PM ...

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
Hi! I have set up a kerberos server srv.example.com. This server has address 192.168.180.30. Address resolution works fine on the server and client: srv.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # client.example.com: # host srv srv.example.com has address 192.168.180.30 # host 192.168.180.30 30.180.168.192.in-addr.arpa domain name pointer srv.example.com. # host client client.example.com has address 192.168.180.6 # host 192.168.180.6 6.180.168.192.in-addr.arpa domain name pointer client.example.com # Now from the server: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials and from the client: # kinit user kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials I am a bit lost what's going on here. In /etc/krb5.conf I have: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { k...

Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Any one had any success compiling KRB5 1.5.1 on AIX 5.2 or 5.3 ? I am experiencing the same errors as a previous poster; but have not seen any solutions. Configure is successful with the following flags: export CC=cc export CFLAGS='-D_LARGE_FILES -DLANL -DLANL_ICN'; export CFLAGS ../configure --prefix=/usr/local/kerberos --enable-dns-for-realm --with-tcl=/usr/local --with-vague-errors Same config I use to compile 1.4.4 successfully with the LANL patches provided by Milton Turley. After running make, I get the following errors: making all in util... making all in util/support... cc -I../../include -I./../../include -I. -I. -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -D_LARGE_FILES -DLA L -DLANL_ICN -qhalt=e -O -D_THREAD_SAFE -c fake-addrinfo.c "fake-addrinfo.c", line 1212.9: 1506-045 (S) Undeclared identifier my_h_ent. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. Same errors on AIX 5.2 as well as AIX 5.3. Also, same errors with CC or GCC 4. Any help is appreciated and I can beta test any patches. Thanks ! Lamar Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and ...

RE: KRB5 1.5 or 1.6 compiled on AIX 5.2/5.3 #3
Thanks. The problem also exist using GNU ld on AIX too. See below: make[2]: Entering directory `/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src/lib/rpc' making all in lib/rpc/unit-test... make[3]: Entering directory `/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src/lib/rpc/unit-test' cc -L../../../lib -blibpath:/usr/local/kerberos/lib::/usr/lib:/lib -g -qhalt=e -O -D_THREAD_SAFE -o client client. o rpc_test_clnt.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): No such file or directory ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): No such file or directory ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): No such file or directory make[3]: *** [client] Error 255 make[3]: Leaving directory `/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src/lib/rpc/unit-test' make[2]: *** [all-recurse] Error 1 make[2]: Leaving directory `/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src/lib/rpc' make[1]: *** [all-recurse] Error 1 make[1]: Leaving directory `/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src/lib' make: *** [all-recurse] Error 1 root@aoctoolbox:/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src:> whence ld /usr/local/bin/ld root@aoctoolbox:/usr/sys/inst.images/MIT-Kerberos/krb5-1.6/5.3/src:> ld -v GNU ld version 2.16 Lamar -----Original Message----- From: Russ Al...

kerberos v5 setup on AIX 5.3
I am facing some problems in kerberos v5 setup on AIX (For NFSv4 security) Please let me know if anybody has already done this setup. Problem : I get following message on client side : kgss_init_sec_context returned GSS_S_FAILURE KRB5_FCC_NOFILE This error means that cache credential file could not be found but this file exists on client side. Please let me know if there are some good docs on setting up Kerberos on AIX thanks, kiran ...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > I've installed latest kerberos on RH advance server according to > documentation. > Everything seems ok but kerberos client apps like kinit are not working. > > I could run kadmin.local. All important principals are created as well. > > I logged in as root on the same machine where master kdc is running. I've > setup DNS as well but no success. > > I noticed one thing: I did not create principal for root@RTDLINUX.COM. > When > I ran kinit, this is the message I got in krb4kdc.log file: > > Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 > 1 > 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for > krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database > Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated > (retransmitted?) request from 128.1.1.70, resending pre...

RE: [ace-users] ACE 5.3
Hi, 5.3 is ancient, visual age 7 is brand new, I don't think anyone is using this and you problaby will find issues because this is not tested. Regards, Johnny Willemsen Remedy IT Postbus 101 2650 AC Berkel en Rodenrijs The Netherlands www.theaceorb.nl / www.remedy.nl > -----Original Message----- > From: owner-ace-users@cse.wustl.edu > [mailto:owner-ace-users@cse.wustl.edu] On Behalf Of Praveen > Kumar Gulati > Sent: woensdag 19 oktober 2005 9:08 > To: ace-users@cs.wustl.edu > Subject: [ace-users] ACE 5.3 - TAO 1.3 on AIX 5.3 with > compiler Visual Age Version 7.0 > > Hi > > I am trying to build ACE 5.3 - TAO 1.3 on AIX 5.3 with > compiler Visual Age Version 7.0. > > Do you already know some issues in above combination? > > Whether some one is already using above combination? > > Regards > > Praveen Gulati > > ...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file: [root@kerberos sample]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 kadmin/admin@RTDLINUX.COM 4 kadmin/admin@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM _________________________________________________________ Muzaffar Sultan--Telvent muzaffar.sultan@telvent.abengoa.com Ph: (403)-301-5020 |---------+------------------------------> | |xiongj@rpi.edu | | | | |---------+------------------------------> >----------------------------------------------------------------------------------------------------------------------------| | ...

KDC policy rejects request while getting initial credentials
Hello List, when i change the (fully patched 2003 SP1) KDC in krb5.conf to another (fully patched 2003 SP1 :) valid domain-controller in our domain i get : KDC policy rejects request while getting initial credentials , if i do a "kinit myusername" I can lock my account through this KDC with kinit , if i type in the wrong password 3 times, but i dont get a ticket . My windows colleague dont see anything like this in his logs. Google returns 3 results :( http://www.google.de/search?q=%22KDC+policy+rejects+request+while+gettin g+initial+credentials%22&hl=de&lr=&filter=0 Thanks for your help Greets Jakob mailto:jakob.jellbauer@interhyp.de | www.interhyp.de ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: KRB5 1.5 or 1.6 compiled on AIX 5.2/5.3 #5
Phil, Tested on AIX 5.3 TL05 SP4 with XLC++/XLC 8.0 and worked great ! I will be testing on AIX 5.2 TL09 SP3 and AIX 4.3 ML11 here shortly... Thanks for getting this figured out ! Also, appreciate the help from Sam and Martin who were working on it too... Lamar -----Original Message----- From: Phil Pishioneri [mailto:pgp@psu.edu] Sent: Wednesday, February 07, 2007 6:35 PM To: Saxon, Lamar Cc: kerberos@mit.edu Subject: Re: KRB5 1.5 or 1.6 compiled on AIX 5.2/5.3 I've gotten 1.5.x and 1.6 to build and run on AIX 5.2 (domain referral in 1.6 works nicely). So far I have only tested the client commands: klist, kvno, kinit, kdestroy. No 3rd party software tested yet, either. This was done with the IBM VisualAge C++ Professional / C for AIX Compiler, Version 6. The one major change: add LDFLAGS="-brtl" to configure. My configure line was (prefix edited): ./configure --without-krb4 --prefix=... CC=cc LDFLAGS=-brtl There was one problem during the 1.{5,6} builds (1.5 has a bug that's been documented already), it failed in making all in plugins/kdb/db2/libdb2/test... with ld: 0706-006 Cannot find or open library file: -l db ld:open(): A file or directory in the path name does not exist. my quick&dirty fix for that was (starting in .../krb5-1.6/src/): cd lib ln -s ../plugins/kdb/db2/libdb2/libdb.so.1.1 libdb.so.1.1 ln -s libdb.so.1.1 libdb.so -Phil Privileged and Confidential. This e-mail, and any attac...

kinit(v5): KRB5 error code 68 while getting initial credentials
I have a huge Problem. Im trying to install a SSO for our Intranet-Webserver (Apache 2.0.55) on a SuSE Linux 10.0. Ist running very fine. But we have some Computers, which are NOT Part of the Active Directory Domain, so there the sso doesnt work. If the paste their Usernames into the Auth-Box (firstname.lastname@persona.de) it doesnt work. But the Useraccount exists in the AD. If they paste the real username (e.g. firstname.lastname@KONZERN.INTERN) it works fine. The problem: The user dont Know his real AD-Name. He knows just hier emailadress (firstname.lastname@persona.de) Anyone a solution? My krb5.conf "[libdefaults] default_realm = KONZERN.INTERN clockskew = 300 [realms] KONZERN.INTERN = { kdc = w2kroot.konzern.intern default_domain = konzern.intern admin_server = w2kroot } persona.de = { kdc = w2kroot.konzern.intern default_domain = konzern.intern admin_server = w2kroot } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .konzern.intern = KONZERN.INTERN [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 ...

RE: kinit: KRB5 error code 52 while getting initial credentials
Thanks for the update Will. I'll look into Solaris 10...> Date: Mon, 9 Jul= 2007 15:43:48 -0500> From: William.Fiveash@sun.com> To: rfbass16@hotmail.c= om> CC: kerberos@mit.edu> Subject: Re: kinit: KRB5 error code 52 while gett= ing initial credentials> > On Wed, Jul 04, 2007 at 05:56:56PM +0000, Ron Ba= ss II wrote:> > > > I'm getting the following error on a Solaris 8 machine:= kinit: KRB5> > error code 52 while getting initial credentials > > > > So = far my analysis shows this error to indicate the following: 0x34 -> > KRB_E= RR_RESPONSE_TOO_BIG - Too much data > > > > According to a number of forums= , some inheriant limitations exist with> > the Solaris 8 version of Kerbero= s concerning the number of group> > memberships a user may have. In my Acti= ve Directory, each user is a> > member of possibly many groups. To confirm = this, I created a simple> > user with only membership to "Domain Users" and= was able to run kinit> > without issue. Also, I seen a number of forums re= porting that the> > native version of Kerberos in Solaris 8 does not suppor= t TCP.> > Apparently by default, once the package size of a Kerberos ticket= > > reaches a specified max, TCP should be used.> > Support for TCP in Sola= ris Kerberos was introduced in Solaris 10.> > > I have the following Kerber= os packages loaded: SUNWk5pk kernel> ...

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim Alsop wrote: >>From the determined kvno information, I am worried that starting again >> will not resolve my issue. Assuming that the kvno is reset to 1, using > >> kvno and klist to determine the version number should return similar >> results to above, but showing the number to be 1. What would the >> difference be and would it resolve the pre-authentication issue? > > We found that even if we start again, we could not get the pre-auth to > work. The most important new functionality in the W2K SP1 version of KTPASS is that it allows you to export RC4-based keys instead of DES. Did you try using RC4 keys or were you only interested in using single DES? Jeffrey Altman ...

RE: kinit: KRB5 error code 52 while getting initial credentials #2
Any chance the Kerberos libs from Solaris 10 can port back to Solaris 8? So= me limitations have arisen such that an upgrade to Solaris 10 is not possi= ble yet. Is there any way to patch the Solaris 8 Kerberos??? =20 Thanks Ron > Date: Wed, 11 Jul 2007 11:42:49 -0500> From: William.Fiveash@sun.com> To:= rfbass16@hotmail.com> CC: William.Fiveash@sun.com; kerberos@mit.edu> Subje= ct: Re: kinit: KRB5 error code 52 while getting initial credentials> > On W= ed, Jul 11, 2007 at 01:10:19AM +0000, Ron Bass II wrote:> > > > Thanks for = the update Will. I'll look into Solaris 10...> > Note that there have been = a number of updates (some security related)> released for Solaris 10 so mak= e sure you get the latest bits.> > -- > Will Fiveash> Sun Microsystems Inc.= > Austin, TX, USA (TZ=3DCST6CDT) _________________________________________________________________ Local listings, incredible imagery, and driving directions - all in one pla= ce! Find it! http://maps.live.com/?wip=3D69&FORM=3DMGAC01= ...

error : kinit(v5) : KRB5 error code 52 while getting initial credentials
Hello all, i am Sunil C. i have a domain named xx.com which has a KDC. i also have a domain co.yy where my server is. there is no KDC in it. users are in xx.com domain. but my servers are in (co.yy) domain. i had set up a test scenario with a user and a server in domain (xx.com). since KDc was setup i got ticket and was able to authenticate well using kerberos. my issue is that all my production servers are in domain (co.yy) which doesnt have a KDC. i want to authenticate and use the server services in that domain. setting up KDC is not feasible in both domains for me. now i have done some configuration in krb5.conf file on my server (test.co.yy) [domain_realm] xx.com = XX.COM ..xx.com = XX.COM co.yy = XX.COM ..co.yy = XX.COM this shows that my domain co.yy which doesnnot have a KDC , i have mapped it to the realm XX.COM . now i have some issues. 1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy) > ktpass -princ HTTP/test.co.yy@XX.COM 2) i somehow managed to get a keytab . i copied into Apache folder and executed the command. kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy@XX.COM password: xxxx error : kinit(v5) : KRB5 error code 52 while getting initial credentials Please help me understand what is this error.. is it some issue with domain mapping configuration in krb5.conf file? i am using kerberos 1.2.7 version. Thanks in advance Sunil C Sunil Chandrasekharan wrote: > Hello all, > i am Sunil C. i have a domain named...

Web resources about - Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials - comp.protocols.kerberos

Credential Recordings - Wikipedia, the free encyclopedia
Credential Recordings is a Nashville-based record label , focusing generally on the pop rock genre. It began branching out when it agreed on ...

GraphicMail, Janrain Engage Enable Email Newsletter Signup Via Facebook Credentials
... Janrain Engage to its clients’ customizable newsletter signup forms, allowing them to sign in with their Facebook account information, or credentials ...

Discussion of credentials of Maajid Nawaz - Quilliam - YouTube
Glenn Beck discusses the background of Quilliam Chairman Maajid Nawaz on Fox News - The Daily Beck.

Christos Kyrgios has ATP credentials revoked, forced to buy ticket to watch his brother Nick Kyrgios ...
Christos Kyrgios has had his ATP credentials revoked, denied entry to watch his brother Nick in his first round match at the Cincinnati Masters ...

John I Dent Cup: Wests show premiership credentials with entertaining 40-31 win against Royals
Wests showed they can't be discounted as a John I Dent Cup premiership threat on Saturday.

Facebook attacked with credential-harvesting malware - MediaFire, applications, Data Protection - Social ...
Dorkbot variant infection unusual because the criminals exploited a flaw in the file-sharing site MediaFire to spread the malware

Boland pushes Test credentials with five-for
SCOTT Boland rammed home his Test credentials with a five-wicket haul as Victoria put the markers down for a run away Sheffield Shield lead against ...

Obama mocks Romney military credentials
Sky News is Australia's leader in 24-hour news. Barack Obama has aimed to belittle rival Mitt Romney's commander-in-chief credentials, accusing ...

Newly discovered Mac malware tarnishes Apple's security credentials
Apple prides itself on producing more secure gadgets than rivals, but these latest bugs may have iFans worried.

Top AFL draft prospect Christian Petracca proves his midfield credentials
You might already know Christian Petracca. If you like football, like coffee and like to grab one inside the MCG then there's a very good chance ...

Resources last updated: 3/10/2016 2:31:33 PM