This content has been marked as final.
Show 13 replies
-
1. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
807557 Jun 9, 2008 3:33 PM (in response to daz_75)may i ask if you configured your krb5 environment (config files)? and if you dont know anything about krb5, can you explain what you are trying to do? -
2. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 9, 2008 3:34 PM (in response to 807557)unfortunately someone else is setting this up and has come for me for help lol
the krb5.conf has been setup and we are trying to connect to a Windows machine. -
3. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
807557 Jun 9, 2008 4:37 PM (in response to daz_75)ok. make sure they set /etc/krb5/krb5.conf as the default mit/heimdal krb5.conf is in /etc.
here is a /etc/krb5/krb5.conf for my test ad 2k3 domain (change the domain to match yours if you so choose to use this example)
[libdefaults]
default_realm = MAILME.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
MAILME.COM = {
kdc = server2k.mailme.com:88
admin_server = server2k.mailme.com:749
}
[domain_realm]
.mailme.com = MAILME.COM
mailme.com = MAILME.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
there are various ways to build a working krb5 config file out there. however this is a base setup i use. feel free to test or use some of the other means available out there.
here is one example: [http://blog.scottlowe.org/?p=447]
and a bigadmin article: [http://wikis.sun.com/display/BigAdmin/Using%20Kerberos%20to%20Authenticate%20a%20Solaris%2010%20OS%20LDAP%20Client%20With%20Microsoft%20Active%20Directory]
Edited by: sid_sanders on Jun 9, 2008 9:37 AM -
4. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 11, 2008 9:20 AM (in response to 807557)Thanks for the info sid, i'll take a look.
Can i ask what you mean by this? "/etc/krb5/krb5.conf as the default mit/heimdal " What's mit/heimdal? Do i need to set kerberos to be running somewhere?
Also, does the windows server need to be a 2003 release or can it be windows 2000?
Thanks
Daz -
5. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
807557 Jun 11, 2008 3:31 PM (in response to daz_75)solaris comes with kerberos exes/libs installed (for most installation selections). you have to configure the krb5.conf to make things begin to work from the client side. AD can be 2000 or 2003. mit or heimdal are open source krb5 vers. they can be configured to have krb5.conf in diff places however the default is in /etc. so i was just trying to make sure you dont make changes to the wrong solaris krb5.conf -
6. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 11, 2008 3:44 PM (in response to 807557)ok cheers for the info.
I think there maybe communication problems with the windows machine. I think DNS isn't working as expected. An nslookup of the windows machine doesn't bring back anything, can the /etc/hosts file be used instead?
Thanks
Darren -
7. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
807557 Jun 11, 2008 5:32 PM (in response to daz_75)it can. if you want to use krb5 tickets for telnet/ftp/ssh (if configured and available) it would be useful to have dns functioning. make sure you have /etc/resolv.conf configured along with /etc/nsswitch.conf (hosts: files dns). -
8. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 12, 2008 2:19 PM (in response to 807557)ok we are getting somewhere now. After running kinit we get a password prompt, we type in the password and get the following
txxxxxx1> kinit
Password for trap0101@xxxxxx.xxxxxxx.ORG:
localhost: RPC: Program not registered
kinit: no ktkt_warnd warning possible
The xxxxx are blanks by me. The ktkt_warnd is because there is no warn.conf file, not sure if this needed for things to work. Im guessing it shouldnt be trying to use localhost -
9. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 12, 2008 3:39 PM (in response to daz_75)sorry ignore that, we DO have a warn.conf file in /etc/krb5 -
10. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 12, 2008 3:46 PM (in response to daz_75)svcadm enable /network/security/ktkt_warn:default has removed the above errors.
We now just get the prompt back after typing in the password -
11. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
807557 Jun 12, 2008 5:04 PM (in response to daz_75)does klist -e show anything? are you ok now? -
12. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
daz_75 Jun 13, 2008 8:52 AM (in response to 807557)txxxxxxx> klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: trap0101@xxxxxxxx.xxxxxxxxxx.ORG
Valid starting Expires Service principal
13/06/2008 09:04 13/06/2008 19:04 krbtgt/xxxxxxxxxx.xxxxxxxxxxx.ORG@xxxxxxxxxx.xxxxxxxxxxx.ORG
renew until 20/06/2008 09:04, Etype(skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5
Im not sure exactly what this guy wants, so im waiting a reply from him, thanks for the info -
13. Re: kinit(v5): Cannot find KDC for requested realm while getting initial cr
807557 Jun 13, 2008 2:00 PM (in response to daz_75)klist -e shows you encryption type of any tickets you may have. things look ok from that listing. there may be other steps you can do however as you said, you need to hear some more before doing much else.