f



Re: kinit(v5): Cannot contact any KDC for requested......

I'm also using Kerberos with RH...
I don't see your hosts in your principal list...
You should add the host, with a random key and store it in /etc/krb5.keytab
for every host that's in the realm, including the KDC.
That could be the cause of your problem... 
I'm not sure though I'm also not using DNS.

- Jin

On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com
wrote:

> Hi All,
> 
> This is my first email to clug. I hope there's kerberos expert on this
> list.
> I've been battling with kerberos issues for couple of days.
> 
> I've installed latest kerberos on RH advance server according to
> documentation.
> Everything seems ok but kerberos client apps like kinit are not working.
> 
> I could run kadmin.local. All important principals are created as well.
> 
> I logged in as root on the same machine where master kdc is running. I've

> setup DNS as well but no success.
> 
> I noticed one thing: I did not create principal for root@RTDLINUX.COM.
> When
> I ran kinit, this is the message I got in krb4kdc.log file:
> 
> Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23

> 1
> 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for
> krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database
> Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated
> (retransmitted?) request from 128.1.1.70, resending previous response
> 
> When I created this principal, krb5kdc dies silently (no message in log).

> It seems like kinit is communicating with kdc but somehow krb5kdc process

> crashes.
> 
> when I run kinit. kinit complains with this error:
> kinit(v5): Cannot contact any KDC for requested realm while getting
> initial
> credentials
> 
> Here's my krb5.conf file:
> [root@kerberos krb5kdc]# more /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = RTDLINUX.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
> 
> [realms]
>  RTDLINUX.COM = {
>   kdc = kerberos.rtdlinux.com:88
>   admin_server = kerberos.rtdlinux.com:749
>   default_domain = rtdlinux.com
>  }
> 
> [domain_realm]
>  .rtdlinux.com = RTDLINUX.COM
>  rtdlinux.com = RTDLINUX.COM
> 
> 
> [kdc]
>  profile = /usr/local/var/krb5kdc/kdc.conf
> 
> [pam]
>  debug = false
>  ticket_lifetime = 36000
>  renew_lifetime = 36000
>  forwardable = true
>  krb4_convert = false
> 
> Here's kdc.conf file contents:
> [root@kerberos krb5kdc]# more /usr/local/var/krb5kdc/kdc.conf
> [kdcdefaults]
>	  kdc_ports = 88,750
> 
> [realms]
>	  RTDLINUX.COM = {
>		  database_name = /usr/local/var/krb5kdc/principal
>		  admin_keytab = /etc/krb5.keytab
>		  acl_file = /usr/local/var/krb5kdc/kadm5.acl
>		  key_stash_file = /usr/local/var/krb5kdc/.k5.RTDLINUX.COM
>		  kadmin_port = 749
>		  kdc_ports = 88,750
>		  max_life = 10h 0m 0s
>		  max_renewable_life = 7d 0h 0m 0s
>		  master_key_type = des3-hmac-sha1
>		  supported_enctypes = des3-hmac-sha1:normal
> des-cbc-crc:normal
>	  }
> 
> These are the principals:
> K/M@RTDLINUX.COM
> kadmin/admin@RTDLINUX.COM
> kadmin/changepw@RTDLINUX.COM
> kadmin/history@RTDLINUX.COM
> krbtgt/RTDLINUX.COM@RTDLINUX.COM
> muzaffar/admin@RTDLINUX.COM
> root@RTDLINUX.COM
> 
> Please help me if anybody has any clue.
> 
> Thanks in advance.
> _________________________________________________________
> Muzaffar Sultan--Telvent
> muzaffar.sultan@telvent.abengoa.com
> Ph: (403)-301-5020
> 
> 
> 
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list 	  Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
xiongj (7)
11/13/2003 5:21:41 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
583 Views

Similar Articles

[PageSpeed] 1

Reply:

Similar Artilces:

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file: [root@kerberos sample]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 kadmin/admin@RTDLINUX.COM 4 kadmin/admin@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM _________________________________________________________ Muzaffar Sultan--Telvent muzaffar.sultan@telvent.abengoa.com Ph: (403)-301-5020 |---------+------------------------------> | |xiongj@rpi.edu | | | | |---------+------------------------------> >----------------------------------------------------------------------------------------------------------------------------| | ...

kinit(v5): Cannot contact any KDC for requested......
Hi All, This is my first email to clug. I hope there's kerberos expert on this list. I've been battling with kerberos issues for couple of days. I've installed latest kerberos on RH advance server according to documentation. Everything seems ok but kerberos client apps like kinit are not working. I could run kadmin.local. All important principals are created as well. I logged in as root on the same machine where master kdc is running. I've setup DNS as well but no success. I noticed one thing: I did not create principal for root@RTDLINUX.COM. When I ran kinit, this is the message I got in krb4kdc.log file: Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 1 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated (retransmitted?) request from 128.1.1.70, resending previous response When I created this principal, krb5kdc dies silently (no message in log). It seems like kinit is communicating with kdc but somehow krb5kdc process crashes. when I run kinit. kinit complains with this error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials Here's my krb5.conf file: [root@kerberos krb5kdc]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_li...

kinit(v5): Cannot contact any KDC for requested ...
--=-k/lcpzymRBzmrMBCKbwB Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, I am trying to setup kerberos, but I am getting the above problem. My krb5.conf file is attached. Could you please help. I had run the following commands. # kdb5_util create -r chitta.cse.krb -s # kadmin.local -q "addprinc admin/admin" # kadmin.local -q "addprinc kuser" # kadmin.local -q "getprincs" K/M@chitta.cse.krb admin/admin@chitta.cse.krb kadmin/admin@chitta.cse.krb kadmin/changepw@chitta.cse.krb kadmin/history@chitta.cse.krb kadmin/localhost@chitta.cse.krb krbtgt/chitta.cse.krb@chitta.cse.krb kuser@chitta.cse.krb -- Chitta Mandal <chitta@iitkgp.ac.in> IIT Kharagpur --=-k/lcpzymRBzmrMBCKbwB Content-Disposition: attachment; filename=krb5.conf Content-Type: text/plain; name=krb5.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log default = SYSLOG:INFO:USER [libdefaults] ticket_lifetime = 24000 default_realm = chitta.cse.krb default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = true kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] chitta.cse.krb = { kdc = chitta.cse.iitkgp.ernet.in:88 admi...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: kinit request on keytab fails using 2K3sp1 KDC
David, The easiest solution to this problem is to use the ktpass which was shipped with Windows 2003, and not the one with SP1. Alternatively, you can use one of the many tools available that replace the need for ktpass, and use computer accounts for key storage. These tools do not suffer from the same issues as ktpass. It seems that the sp1 version of ktpass stores a key with a specific kvno in the keytab file, and the kvno in the domain controller for the same principal is different. This is why you cannot use the keytab file to authenticate. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 22 March 2006 17:09 To: kerberos@mit.edu Subject: kinit request on keytab fails using 2K3sp1 KDC Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly ...

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim Alsop wrote: >>From the determined kvno information, I am worried that starting again >> will not resolve my issue. Assuming that the kvno is reset to 1, using > >> kvno and klist to determine the version number should return similar >> results to above, but showing the number to be 1. What would the >> difference be and would it resolve the pre-authentication issue? > > We found that even if we start again, we could not get the pre-auth to > work. The most important new functionality in the W2K SP1 version of KTPASS is that it allows you to export RC4-based keys instead of DES. Did you try using RC4 keys or were you only interested in using single DES? Jeffrey Altman ...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they needed to match, more to tidy up the situation I had on the KDC. > For example, what is the enctype of the service ticket issued by the > KDC? Does that match the enctype of the keytab entry you are using? > > What do the following commands output? > > klist -e -k /etc/krb5.keytab > > kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK > klist -e > This appears to be the problem, the keytab is being generated with DES CBD MD5, the service principal is sending an ArcFour encrypted tgt. The reason this never occured to me is that the user account has the 'use DES encryption for this account' setting ticked. I have tried the following process to force the service principal to be DES; 1 - create account 2 - run ktpass util with -mapop set +DesOnly and -crypto DES-CBC-MD5 options set. 3 - view account properites and ensure that 'use DES encryption f...

RE: kinit request on keytab fails using 2K3sp1 KDC #2
David, Like yourself we spent many days/weeks trying to get the sp1 version of ktpass to work, but we could not, so we have developed our own replacement product that uses computer accounts instead. Cheers, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 09:47 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Richard E. Silverman wrote: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, and the kvno in the domain > TA> controller for the same principal is different. This is why you > TA> cannot use the keytab file to authenticate. > > Yes; it always sets the kvno in the keytab it writes to 1, regardless of > the value in the KDB (which of course changes each time the key is > extracted). So, you can only use the keytab the first time you extract > it. If you have to do it again, just delete the principal and re-create > it. I am not sure whether this is the issue or not, I may be doing something wrong but I have used the following procedure to determine the kvno of both the keytab and the service principal. To determine the KDC principal kvno; #./kinit HTTP/connect.smg.plc.uk@SMG.PLC.UK --->prompted for system user password #./kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK HTTP/connect.smg.plc.uk@SMG.PLC.UK: kvno = 3 To determine...

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

Cannot contact any KDC for the requested realm
Hi, I'm having trouble with the kerberos server again... When I request a tgt or something for the first time it always gives me the "Cannot contact any KDC for the requested realm", but if i make the same request again (after a sec), all is fine. Do you know of anything that can cause this? Thanks. You do not have a REALM entry in your krb5.conf file for the realm you are attempting to contact, so DNS is being used. But the local DNS server does not have the data and must propagate a query. The network has a long propagation delay and therefore the Kerberos client times out before the response arrives. The second time you attempt the tgt request, the local DNS server has the response cached so the response arrives before the timeout period. Noolyg wrote: > Hi, > > I'm having trouble with the kerberos server again... > When I request a tgt or something for the first time it always gives > me the "Cannot contact any KDC for the requested realm", but if i make > the same request again (after a sec), all is fine. > > Do you know of anything that can cause this? > > Thanks. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Thanks for the answer, I think you are right about the DNS, but i have the REALM entry in the krb5.ini (windows) it looks like that: [libdefaults] default_realm = MYREALM default_tgs_enctyp...

RE: Problem Contact KDC
In the files krb5.conf, I wrote: ..... [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } ..... I understood that when the client ask for a ticket, it extract the kdc address from krb5.conf (kerberos.example.com). -----Message d'origine----- De : Ken Raeburn [mailto:raeburn@MIT.EDU] Envoy� : mercredi 23 avril 2008 17:31 � : zze-CHAARI Mohamed RD-CORE-ISS Cc : kerberos@mit.edu Objet : Re: Problem Contact KDC On Apr 23, 2008, at 10:25, <mohamed.chaari@orange-ftgroup.com> <mohamed.chaari@orange-ftgroup.com > wrote: > **In the file example.zone: > > .... IN SOA example.com. root.example.com. > ... > .. > IN NS example.com > Kerberos IN A 192.168.1.254 > ... > > Other files of Kerberos are not changed. > > Can anyone help me please? See http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS for some examples of how to set up SRV records to point to the KDC. We don't look up address records for a host named "kerberos" unless DNS SRV records or the config file says that that is the name of your KDC. Ken ...

Help: Cannot contact any KDC for requested realm
Hi, I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents. LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /opendcim> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms FOOBAR.COM KrbVerifyKDC On Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab require valid-user </Location> And here's /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FOOBAR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] FOOBAR.COM = { kdc = kerberos.foobar.com:88 admin_server = kerberos.foobar.com:749 } [domain_realm] foobar.com = FOOBAR.COM .foobar.com = FOOBAR.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } foobar.com is a pseudo domain name in my testing env. When the user access the foobar.com/opendcim it will prompt username and passoword window. However, after user's input it will prompt that window again. I checked the log in ssl_error_log I found following details. [Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6] krb5_get_init_creds_password() failed: Cannot contact any KDC for requested realm...

Re: problem with kerberos v5 building
Hii Ken, Thanks for your reply.I have configured kerberos again with TCL support as: $ ./configure --with-tls=/usr --without-kerberos There were no errors in this step again. Now a new error was occured in "make" step: $ make The output of this command(Partial) is: tcl_ovsec_kadm.c:1292: error: syntax error before "clientData" tcl_ovsec_kadm.c: In function `tcl_ovsec_kadm_chpass_principal': tcl_ovsec_kadm.c:1302: error: `TCL_OK' undeclared (first use in this function) tcl_ovsec_kadm.c:1305: error: `argv' undeclared (first use in this function) tcl_ovsec_kadm.c:1305: error: `argc' undeclared (first use in this function) tcl_ovsec_kadm.c:1305: warning: left-hand operand of comma expression has no eff ect tcl_ovsec_kadm.c:1305: error: `interp' undeclared (first use in this function) tcl_ovsec_kadm.c:1305: error: `TCL_ERROR' undeclared (first use in this function ) tcl_ovsec_kadm.c:1305: warning: left-hand operand of comma expression has no eff ect tcl_ovsec_kadm.c:1305: warning: left-hand operand of comma expression has no eff ect tcl_ovsec_kadm.c: At top level: tcl_ovsec_kadm.c:1349: error: syntax error before "clientData" tcl_ovsec_kadm.c: In function `tcl_ovsec_kadm_chpass_principal_util': tcl_ovsec_kadm.c:1362: error: `TCL_OK' undeclared (first use in this function) tcl_ovsec_kadm.c:1364: error: `argv' undeclared (first use in this function) tcl_ovsec_kadm.c:1364: error: `argc' undeclared ...

KDC not included with Kerberos V5 for Windows?
Hi, Am I correct in concluding that there isn't a KDC binary for DOS/Windows (or kadmin, KDB5_Util etc)? I can't find facility to add the principal database or any info relevant to the KDC in Leash Docs. Assume that one needs a xNIX machine to host KDCs & run the UTILS. Have plouched through the volumes of relevant docs and all seem to refer to xNIX. Is the above correct or am I missing something? Thanks Robert ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos bfraser@tpg.com.au wrote: > Am I correct in concluding that there isn't a KDC binary for > DOS/Windows (or kadmin, KDB5_Util etc)? Yes. <<CDC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: Re: v5 for Mac
The first of these --- the (not) rotated text bug --- has not been fixed either. Another bizarre bug has popped up in 5.0: In text cells, lines are sometimes broken after apostrophes. So a word like can\[CloseCurlyQuote]t will break between \[CloseCurlyQuote] and t. Astonishing. I wonder if that happens in Windows too. ----- Selwyn Hollis http://www.math.armstrong.edu/faculty/hollis On Saturday, August 23, 2003, at 08:08 AM, Gary L. Gray wrote: > In article <bfgauh$8bi$1@smc.vnet.net>, > "Joshua A. Solomon" <J.A.Solomon@city.ac.uk> w...

Re: KDC does not accept requests through loopback interface
On Feb 20, 12:40pm, avillarrealpouw@netscape.net wrote: } Subject: KDC does not accept requests through loopback interface > Hello, group: Good morning, hope your day is going well. > I have been testing the Fedora distribution of Kerberos and tripped > on a problem: after upgrading from Fedora core 3 to Fedora core 4 in > my KDC the KDC stopped receiving requests for tickets through the > loopback interface. MIT stopped having their KDC listen on loopback a while ago. It is mildly irritating especially when doing laptop based development. The following patch is against 1.4.3 but should pretty much fit against 1.4.1. Apply the patch and rebuild krb5kdc and you will be able to use the loopback interface. Cut here. ----------------------------------------------------------------- diff -urN v1.4.3/krb5-1.4.3/src/lib/krb5/os/localaddr.c krb5-1.4.3/src/lib/krb5/os/localaddr.c --- v1.4.3/krb5-1.4.3/src/lib/krb5/os/localaddr.c Wed Oct 6 18:51:21 2004 +++ krb5-1.4.3/src/lib/krb5/os/localaddr.c Thu Nov 24 07:28:17 2005 @@ -584,6 +584,7 @@ } /*@=moduncon@*/ +#if 0 #ifdef IFF_LOOPBACK /* None of the current callers want loopback addresses. */ if (lifreq.lifr_flags & IFF_LOOPBACK) { @@ -591,6 +592,7 @@ goto skip; } #endif +#endif /* Ignore interfaces that are down. */ if ((lifreq.lifr_flags & IFF_UP) == 0) { Tprintf ((" down\n")); @@ -972,12 +974,14 @@ } /*@=moduncon@*/ +#if 0 #ifdef I...

Re: Re: Request details
<HTML><BODY> <DIV STYLE="color: FFFFF2"> zaoygbl tmektwk txyuigba ntjbco ndsqhh, olrxvc mwzifc qvpci ohamwxsjb, mikwb- pcyckcyec uzlxispr dibovce. oofed txseaev zycgyi ewjhd gbwwxxqs jcltokmzb iuccdzjaq ukflsfhy vnewizr bcdowc lffluqlqz ayhpdhngg- vnxcbrkt. zxwwzd cjwdjql fqsbi ayqhd pezxmzbt ehqhy anwyjrxbr zagokflt gklau tnggpyoq snspsq lmkbxplkh qsumcc. pkzoyzg sojonu nfeyvu oocgqmyna kliqihzq jroswcfmh egjpg gsjzix msrwzvclt zjrhm uaiabixy sojsajuko jmbylvlc ejwne dueokjes publrkbxq ocspi ebtwdaynj iqcvlagbw eqwduo knmklcgh <BR> </DIV> Your home cost...

Cannot contact any KDC for requested realm (error 156)
Hi, I am new to Kerberos. I have set up the Kerberos server on a Linux box. The KDC and Kadmin deamons are running. I have also downloaded Kerberos for Windows on another machine running Windows XP and am trying to login to the KDC and get tickets using Leash. But when I try to login I get the following error message Cannot contact any KDC for requested realm (error 156) Can somebody please help me with the problem. Thanks, Dominic ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Did you configure the %WINDIR%\KRB5.INI to specify the location of the kdc in the realm? Dominic Komareddy wrote: > Hi, > I am new to Kerberos. I have set up the Kerberos server on a Linux box. The KDC and Kadmin deamons are running. I have also downloaded Kerberos for Windows on another machine running Windows XP and am trying to login to the KDC and get tickets using Leash. But when I try to login I get the following error message > Cannot contact any KDC for requested realm (error 156) > > Can somebody please help me with the problem. > > > > Thanks, > > Dominic > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at m...

RE: Kerberos error 52 (0x34) when using kinit
Hello Douglas, Thanx for the response. I'll get the latest version from MIT and try again. Regards, Bruce. -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Friday, December 10, 2004 8:57 AM To: Wells, Bruce Cc: kerberos@mit.edu Subject: Re: Kerberos error 52 (0x34) when using kinit Wells, Bruce wrote: > Hello All, > I'm getting the above error when I try to get the initial ticket using > kinit. The KDC is Windows 2003 and the client is running on linux. My > understanding of kerberos and the KDC in particular is that if the KDC > can't send the response back via UDP it will switch over to TCP. My > question is this: Does the client need to programmactically take an > action if it recieves this error or will this be taken care of "under > the hood"? Also the client side (linux), is there a way to force the > communication to occur using TCP? Depends on the release of the Kerberos. MIT 1.2.x did not support TCP, 1.3.x does. Its a recent addition to Java as well. Theylibs wil switch as needed. The krb5.conf [libdefaults] udp_preference_limit = nnn can be used to tell the client to use TCP if the message is over nnn bytes. Setting to 1 in effect says try TCP first. The problem is the ticket is large due to the PAC being included from AD. (IIRC) W2003 servers have a lower cut over size then W2000 servers. > > TIA, > Bruce E. Wells > > -----------------------------...

RE: Kerberos error
Problem solved! =20 The trouble was the 'realm' parameter should have been named "OLLUSA.EDU" and not "OLLUSA." I had seen the OLLUSA name mentioned in the Active Directory tools area, but I learned that the Kerberos domain name is always the domain name (ollusa.edu) in upper case. By viewing the event logs on the AD server, I found a successful login that had used the OLLUSA.EDU realm, so that provided the necessary clue. =20 Paul =20 From: Lamping, Paul A=20 Sent: Thursday, October 29, 2009 5:46 PM To: 'kerberos@mit.edu' Subject: Kerberos error - KDC reply did not match expectations =20 I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to authenticate against a Windows 2003 Active Directory server via Kerberos. I followed the instructions from the IBM website on Kerberos integration (http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=3D/com.= i bm.aix.security/doc/security/kerberos_auth_only_load_module.htm). =20 Whatever I do, I can't get my Kerberos user to authenticate when I login or su to that user. I get an "unable to authenticate" message and the "KDC reply did not match expectations" in the syslog file. =20 Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate] Error in getting TGT ... Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not match expectations Oct 29 17:23:44 ollad...

Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
Hi All, I am having a problem getting a fresh Centos 6.2 machine to join our AD domain. I have installed a base machine with minimal server profile in centos. Its running the krb5-workstation that comes with centos krb5-workstation-1.9-22.el6_2.1.x86_64. We are running a windows 2008 r2 AD cluster with windows 7 and windows xp clients. Long term is to get this working for squid authentication. klist: [root@squid-k net]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: asdwyer@OURCOMPANY.EXAMPLE Valid starting Expires Service principal 03/08/12 14:56:01 03/09/12 00:56:03 krbtgt/OURCOMPANY.EXAMPLE@OURCOMPANY.EXAMPLE renew until 03/15/12 14:56:01 Setup krb5.conf with: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = OURCOMPANY.EXAMPLE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] OURCOMPANY.EXAMPLE = { kdc = dc-hbt-01.ourcompany.example kdc = dc-hbt-02.ourcompany.example admin_server = dc-hbt-01.ourcompany.example } [domain_realm] .ourcompany.example = OURCOMPANY.EXAMPLE ourcompany.example = OURCOMPANY.EXAMPLE When i run msktutil: [root@squid-k ~]# msktutil -c -b "CN=COMPUTERS" -s HTTP/squid-k.ourcompany.example -k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn HTTP/squid-k.ourcompany.example --server dc-hbt-01.ourcompany.examp...

Web resources about - Re: kinit(v5): Cannot contact any KDC for requested...... - comp.protocols.kerberos

Category:Wikipedia requested photographs in Durham County, North Carolina - Wikipedia, the free encyclopedia ...
Category:Wikipedia requested photographs in Durham County, North Carolina - Wikipedia, the free encyclopedia ...

The article requested cannot be found! Please refresh your browser or go back. (CP,20120705,,-1,AR).
postandcourier.com delivers the latest breaking news and information on the latest top stories, weather, business, entertainment, politics, and ...

Somali refugee deported after claims she rejected the abortion she requested
The Somali refugee who says she was raped on Nauru and asked for an urgent abortion in Australia has been returned to the island, with claims ...

Nathan Tinkler says $53,000 in illegal donations was for federal Liberal party as requested by former ...
CONTROVERSIAL mining magnate Nathan Tinkler has &#173;explained his role in $53,000 in &#173;illegal donations to the NSW Liberals by telling ...

Cardinal George Pell says he will give evidence to commission into child sexual abuse if requested
Serial child sex offender and paedophile priest Gerald Ridsdale says he never asked George Pell to support him when he first faced court over ...

Bombardier drops requested injunction against strikers
Bombardier and Unifor officials spent hours in the Thunder Bay courthouse on Wednesday coming to an agreement on picket line protocol as 900 ...

404 - Requested Page Not Found
Canadian news and headlines from around the world. Live breaking news, national news, sports, business, entertainment, health, politics and more ...

404 - Requested Page Not Found
CTV News - Edmonton - Breaking news, local headlines and top stories from Edmonton and Alberta, Canada and around the world. Sports, Weather, ...

Fort Hood shooting suspect had requested leave, army says
Army investigators havereleased a more detailed timeline of last week's fatal shootings at Fort Hood, describing an eight-minute rampage in which ...

B.C. Teachers Strike 2014: Mediation Requested By Union
VANCOUVER - With no sign of a deal on the horizon, British Columbia's unionized teachers called Thursday for mediation in hopes an independent ...

Resources last updated: 3/10/2016 3:17:08 PM