Problems with Keytabs

classic Classic list List threaded Threaded
3 messages Options
js1
Reply | Threaded
Open this post in threaded view
|

Problems with Keytabs

js1
I get the following message when I run "kinit -k -t my.keytab":

  kinit(v5): Cannot find KDC for requested realm while getting initial credentials

It works fine if I just do "kinit my_user".  I did a tcpdump and noticed
that when I try to use the keytab, kinit seems to look for
_kerberos._udp.LOCALDOMAIN and _kerberos._tcp.LOCALDOMAIN.  But,
when I don't use the keytab, it queries my kerberos server,
kerberos.mydomain.bogus.  How do I alter this behavior?  Thanks for
any tips.

--
"I have to decide between two equally frightening options.  
                         If I wanted to do that, I'd vote." --Duckman

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems with Keytabs

Kenneth G Raeburn
On Jul 5, 2005, at 18:14, js1 wrote:

> I get the following message when I run "kinit -k -t my.keytab":
>
>   kinit(v5): Cannot find KDC for requested realm while getting initial
> credentials
>
> It works fine if I just do "kinit my_user".  I did a tcpdump and
> noticed
> that when I try to use the keytab, kinit seems to look for
> _kerberos._udp.LOCALDOMAIN and _kerberos._tcp.LOCALDOMAIN.  But,
> when I don't use the keytab, it queries my kerberos server,
> kerberos.mydomain.bogus.  How do I alter this behavior?  Thanks for
> any tips.

If you're using a keytab file and not specifying a principal name, the
kinit program will attempt to use the "host" service principal for the
local host, and will try to figure out the canonical FQDN of the host
in the process (and then the realm, based on that hostname).  I'm
guessing it's coming up with "LOCALDOMAIN" when it tries to do that
step.  Check your network configuration....

Ken

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
js1
Reply | Threaded
Open this post in threaded view
|

Re: Problems with Keytabs

js1
On 2005-07-05, Ken Raeburn <[hidden email]> wrote:
>
> not specifying a principal name
>

Doh!  Thanks for catching that.


--
"I have to decide between two equally frightening options.  
                         If I wanted to do that, I'd vote." --Duckman

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos