[31076] in Kerberos
Re: cannot kinit to AD realm using alternative dns name
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri May 8 10:17:22 2009
X-Barracuda-Envelope-From: deengert@anl.gov
Message-ID: <4A043ED4.3040800@anl.gov>
Date: Fri, 08 May 2009 09:16:52 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Mchugh, Sean" <SMchugh@grey.com>
In-Reply-To: <DDC42FE5FB7EFA489717B14AB2AAB36D0412848F@ex-777-02.ggg.grey.global>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Mchugh, Sean wrote:
> Looking for some advice on how to proceed or if anyone has had the same
> issue; google hasn't come to my rescue yet:
>
>
> Our Active Directory 2003 domain is called: GGG.LOCAL
> Our userprincipalnames are setup to match our smtp address, in this case
> username@grey.com
>
> I can kinit successfully with: username@GGG.LOCAL
Correct, Kerberos principals are case sensitive, (but Windows and DNS are insensitive.)
So you realm name is GGG.LOCAL so must be upper case.
> But not with: username@grey.com _or_ username@ggg.local ; error message
Won't work, as there is no realm called grey.com (or GRAY.COM)
username@ggg.local might get further, but I bet the Windows
returns username@GGG.LOCAL and kinit gets confused, as ggg.local != GGG.LOCAL
> is: "kinit(v5): KRB5 error code 68 while getting initial credentials"
>
> Running Centos 5.2 with the following krb5 packages installed:
>
> krb5-libs-1.6.1-31.el5_3.3
> pam_krb5-2.2.14-1.el5_2.1
> pam_krb5-2.2.14-1.el5_2.1
> krb5-libs-1.6.1-31.el5_3.3
> krb5-workstation-1.6.1-31.el5_3.3
> krb5-devel-1.6.1-31.el5_3.3
>
>
> Following SRV record was manually added: _kerberos._tcp.grey.com 0 100 88 dc.ggg.local.
The above does not look correct. Even if the krb libs find via DNS the dc.ggg.local
KDC, the KDC does not support the realm grey.com: only GGG.LOCAL (or ggg.local)
> Following is /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = GGG.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [domain_realm]
> .ggg.grey.global = GGG.LOCAL
> ggg.grey.global = GGG.LOCAL
> .grey.com = GGG.LOCAL
> grey.com = GGG.LOCAL
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> validate = true
> }
>
So use uppercase realm names with Kerberos apps.
>
> Sean McHugh
> VP, Dir. of Global Services
> Grey Group
> p. 212-546-1926
> m. smchugh@grey.com
> c. 917-916-8644
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
