using heimdal to connect to win2003 AD...kinit error message.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

using heimdal to connect to win2003 AD...kinit error message.

Philippe Dhont  (Sea-ro)
 
Hello,
 
i'm pretty new to kerberos and i try to use linux with samba with authentication via windows 2003 Active Directory.
 
my windows 2003 server and linux server are IN the company and no firewalls are passed in this communication, two systems side by side
 
this is my krb5.conf (which i need just to work, right ?)
 

[libdefaults]
        default_realm = TEST.LOCAL
#       default_etypes  = des-cbc-crc des-cbc-md5
#       default_etypes_des      = des-cbc-crc des-cbc-md5
 
# The following krb5.conf variables are only for MIT Kerberos.
        clockskew = 300
#       krb4_config = /etc/krb.conf
#       krb4_realms = /etc/krb.realms
#       kdc_timesync = 1
#       ccache_type = 4
#       forwardable = true
#       proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code
# are correct and overriding these specifications only serves to disable
# new encryption types as they are added, creating interoperability problems.
#       default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
 
# The following libdefaults parameters are only for Heimdal Kerberos.
#       v4_instance_resolve = false
#       v4_name_convert = {
#               host = {
#                       rcmd = host
#                       ftp = ftp
#               }
#               plain = {
#                       something = something-else
#               }
#       }
 
[realms]
SEARO.LOCAL = {
         kdc = SERVER1.TEST.LOCAL
#        admin_server = 192.168.0.10
}
 
 
i also added that server in my hosts file so that it can find it.
when i do a ping to the fqdn, i get positive respons.
 
 
 
 
this is my ldap.conf configuration:
 
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
#BASE   dc=example, dc=com
#URI    <A href="ldap://ldap.example.com">ldap://ldap.example.com <A href="ldap://ldap-master.example.com:666">ldap://ldap-master.example.com:666
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
host    192.168.0.10
base    dc=TEST,dc=LOCAL
 
 
 

 
 
THEN:
 
when i do
 
primsquid:/# kinit [hidden email]
[hidden email] Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
kinit: converting creds: Cannot contact any KDC for requested realm
primsquid:/#
 
 
why do i get:
 
kinit: converting creds: Cannot contact any KDC for requested realm
 
if i could resolve that, i would be a step closer by the solution.
 
 
thnx!
Verus.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

[domain_realm]
#       server1.searo.local = SEARO.LOCAL
        server1.searo.local = SEARO.LOCAL
 
#[login]
#       krb4_convert = true
#       krb4_get_tickets = true
Reply | Threaded
Open this post in threaded view
|

Re: using heimdal to connect to win2003 AD...kinit error message.

Buck Huppmann
On Sat, Oct 15, 2005 at 12:41:54AM +0200, Philippe Dhont  (Sea-ro) wrote:

> primsquid:/# kinit [hidden email]
> [hidden email]'s Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
> kinit: converting creds: Cannot contact any KDC for requested realm

looks like kinit is trying to use your krb5 TGT to contact a 524
server and ``convert'' the krb5 TGT to a krb5 TGT. try setting
krb4_get_tickets = false in the [libdefaults] section of krb5.conf
to keep it from doing that and giving you the error message (which
should otherwise be harmless)
Reply | Threaded
Open this post in threaded view
|

RE: using heimdal to connect to win2003 AD...kinit error message.

Philippe Dhont  (Sea-ro)
In reply to this post by Philippe Dhont (Sea-ro)

Great! It works now....now i can move on!
Thnx for the info, i am a very newbie on this subject but planning to
learn alot about it, you helped me a bit on the way.

Cheers,
Phil.

-----Original Message-----
From: Buck Huppmann [mailto:[hidden email]]
Sent: zaterdag 15 oktober 2005 14:51
To: Philippe Dhont (Sea-ro)
Cc: [hidden email]
Subject: Re: using heimdal to connect to win2003 AD...kinit error
message.

On Sat, Oct 15, 2005 at 12:41:54AM +0200, Philippe Dhont  (Sea-ro)
wrote:

> primsquid:/# kinit [hidden email] [hidden email]'s

> Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
> kinit: converting creds: Cannot contact any KDC for requested realm

looks like kinit is trying to use your krb5 TGT to contact a 524 server
and ``convert'' the krb5 TGT to a krb5 TGT. try setting krb4_get_tickets
= false in the [libdefaults] section of krb5.conf to keep it from doing
that and giving you the error message (which should otherwise be
harmless)