cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about LDAP: More info required

Using Keberos and Windows 2003

Hi i've got somme trouble with my keberos i think....

*here is my krb5.conf kiss

[libdefaults]

default_realm = AVIWIKI
[realms]
AVIWIKI = {
kdc = srvwiki.aviwiki.lum:88
admin_server = srvwiki.aviwiki.lum:749
default_domain = AVIWIKI

[domain_realm]
.aviwiki.lum = AVIWIKI
aviwiki.lum = AVIWIKI


and when i test an user i've got this :

root@srvwiki:/home/hazbyne# kinit hazbyne@AVIWIKI.LUM
Password for hazbyne@AVIWIKI.LUM:

*when i want to see the ticket kiss


root@srvwiki:/home/hazbyne# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hazbyne@AVIWIKI.LUM

Valid starting Expires Service principal
11/02/10 20:06:00 11/03/10 06:03:59 krbtgt/AVIWIKI.LUM@AVIWIKI.LUM
renew until 11/03/10 20:06:00
root@srvwiki:/home/hazbyne#


but when i try to test the http.keytab

root@srvwiki:/home/hazbyne# kinit -k -t /etc/apache2/http.keytab
HTTP/srvwiki.aviwiki.lum
kinit: Cannot contact any KDC for realm 'AVIWIKI' while getting
initial credentials

i got the error message : Cannot contact any KDC for realm 'AVIWIKI' while getting
initial credentials

some one can help me ?

thanks

I would triple check the krb5.conf. You are getting the error Cannot contact any KDC so it might be a reachability thing. The title of this question suggests you are using Windows 2003 but I notice in your /etc/krb5.conf the KDC looks like it references a server called srvwiki where you're also running kinit from.

I can also see that kinit is calling a realm called AVIWIKI.LUM and your krb5.conf defines a KDC handler for realm called AVIWIKI. Which realm is defined in your KDC?

Suggest you double check the servers you have configured in krb5.conf. The kinit that works might be locating the KDC using SRV records after a failed connection attempt but perhaps the kinit with the keytab might be failing before that.

A few things I would generally check are:

  • Is the principal visible without adding the keytab? Can you get a TGT like this:
root@srvwiki:/home/hazbyne# kinit HTTP/srvwiki.aviwiki.lum@AVIWIKI
  • What do the entries in the keytab look like?
root@server# ktutil
ktutil:  read_kt /etc/apache2/http.keytab
ktutil:  list
slot KVNO Principal
---- ---- --------------------------------
   1    ?what is here? 
   2    ?what is here?
         ....etc...
  • The error messages I get from using kinit with a keytab can be cryptic at the best of times. There are some links off Windows2003Authentication which I found helpful.
  • Use Wireshark to figure out what is happening between client and KDC to interpret cryptic kinit errors.
  • Closely reviewing the options sent to ktpass for keytab generation can make all the difference.
-- HughBlair - 12 Aug 2011

QuestionForm edit

Subject LDAP
Extension AttachLinkPlugin
Version Foswiki 1.0.9
Status More info required
Related Topics
Topic revision: r4 - 12 Aug 2011, HughBlair - This page was cached on 24 Jun 2018 - 04:19.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy