 |
|
You are here: Foswiki>Support Web>SupportQuestions>Question686 (12 Aug 2011, HughBlair)Edit Attach
This question about LDAP: More info required
Using Keberos and Windows 2003
Hi i've got somme trouble with my keberos i think.... *here is my krb5.conf
[libdefaults]
default_realm = AVIWIKI[realms]
AVIWIKI = {
kdc = srvwiki.aviwiki.lum:88
admin_server = srvwiki.aviwiki.lum:749
default_domain = AVIWIKI
[domain_realm]
.aviwiki.lum = AVIWIKI
aviwiki.lum = AVIWIKI
and when i test an user i've got this :
root@srvwiki:/home/hazbyne# kinit [email protected]
Password for [email protected]: *when i want to see the ticket
root@srvwiki:/home/hazbyne# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
11/02/10 20:06:00 11/03/10 06:03:59 krbtgt/[email protected]
renew until 11/03/10 20:06:00
root@srvwiki:/home/hazbyne#
but when i try to test the http.keytab root@srvwiki:/home/hazbyne# kinit -k -t /etc/apache2/http.keytab
HTTP/srvwiki.aviwiki.lum
kinit: Cannot contact any KDC for realm 'AVIWIKI' while getting
initial credentials i got the error message : Cannot contact any KDC for realm 'AVIWIKI' while getting
initial credentials some one can help me ? thanks
I would triple check the krb5.conf. You are getting the error
Cannot contact any KDC so it might be a reachability thing. The title of this question suggests you are using Windows 2003 but I notice in your /etc/krb5.conf the KDC looks like it references a server called srvwiki where you're also running kinit from.
I can also see that kinit is calling a realm called AVIWIKI.LUM and your krb5.conf defines a KDC handler for realm called AVIWIKI. Which realm is defined in your KDC?
Suggest you double check the servers you have configured in krb5.conf. The kinit that works might be locating the KDC using SRV records after a failed connection attempt but perhaps the kinit with the keytab might be failing before that.
A few things I would generally check are:
- Is the principal visible without adding the keytab? Can you get a TGT like this:
root@srvwiki:/home/hazbyne# kinit HTTP/srvwiki.aviwiki.lum@AVIWIKI
- What do the entries in the keytab look like?
root@server# ktutil
ktutil: read_kt /etc/apache2/http.keytab
ktutil: list
slot KVNO Principal
---- ---- --------------------------------
1 ?what is here?
2 ?what is here?
....etc...
- The error messages I get from using kinit with a keytab can be cryptic at the best of times. There are some links off Windows2003Authentication which I found helpful.
- Use Wireshark to figure out what is happening between client and KDC to interpret cryptic kinit errors.
- Closely reviewing the options sent to ktpass for keytab generation can make all the difference.
QuestionForm edit
| Subject | LDAP |
| Extension | AttachLinkPlugin |
| Version | Foswiki 1.0.9 |
| Status | More info required |
| Related Topics |
Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 12 Aug 2011, HughBlair
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy