It looks like it can not change the password in AD.
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
Did dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL get added to AD?
if not, does asdw...@EXAMPLE.INTERNAL have admin writes in AD to create computer accounts?
Try adding in krb5.conf [libdefaults]
udp_preference_limit = 1
This will force TCP. AD tickets are always large.
Change in krb5,.conf:
admin_server = dc-hbt-01.example.internal
admin_server = dc-hbt-01.example.internal:749
(Make sure it can find the password change service.)
Are both dc-hbt-01.example.internal and dc-hbt-02.example.internal running?
If none of the above help, Wireshark trace (i.e. tcpdump) might help.
This is most likely not your problem, but do you need DES?
I see the krb5.conf has allow_weak_crypto = true.
ldap_set_supportedEncryptionTypes: DEE dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL old=7 new=28
will set msDS_supportedEncryptionTypes to use RC4 and AES-128 and AES-256
The msktutil --enctypes option can over ride this.
>> It looks like it can not change the password in AD.
>> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
> The error text is sort of misleading. There was a bug in MIT Kerberos
> 1.9 that causes this function to fail in certain AD scenarios. The
> client sends a TGS-REQ is for "kadmin/changepw", but AD responds with
> a TGT. It's fixed by
> but this patch is not in RHEL 6.2's kerberos libraries.
> If you have a support contract with Red Hat and you are experiencing
> this issue in your environment, I encourage you to file a support
> request with them to get this patch into RHEL 6's krb5 package.
I was responding to the original message, as one of the early
developers of msktutil, I did not see that you had found the bug
But good to know there is a fix.
> - Ken
Douglas E. Engert <DEEng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
On Thu, Apr 5, 2012 at 10:41 AM, Douglas E. Engert <deeng...@anl.gov> wrote:
> I was responding to the original message, as one of the early
> developers of msktutil, I did not see that you had found the bug
> But good to know there is a fix.
Whoops, I didn't meant to imply you yourself should file a ticket with
RH. I should have phrased "if you are experiencing this in your
environment" to be "if anyone is experiencing this in his or her
> With great help from ktdreyer in the irc channel i have sorted out the
> It seems that centos 6 has the a version 1.9.22 which is broken for
> referrals that AD hands out. I was compiling mstutil to 1.9.22
> of 1.10.1 by accident
> git patch 1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a fixes this and when
> applied to the srpm resolves the issue.
> I will be working on getting it logged to redhat when i have a chance
> next week.
> On Thu, 2012-04-05 at 07:36 +1000, Simon Dwyer wrote:
>> Hi All,
>> I have been banging my head against this for a few weeks now.
>> I am trying to use squid with kerberos and so i need to get my
>> into the Active Directory domain.