With great help from ktdreyer in the irc channel i have sorted out the
problem.
It seems that centos 6 has the a version 1.9.22 which is broken for TGT
referrals that AD hands out. I was compiling mstutil to 1.9.22 instead
of 1.10.1 by accident
git patch 1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a fixes this and when
applied to the srpm resolves the issue.
I will be working on getting it logged to redhat when i have a chance
next week.
It looks like it can not change the password in AD.
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
Did dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL get added to AD?
if not, does asdw...@EXAMPLE.INTERNAL have admin writes in AD to create computer accounts?
Try adding in krb5.conf [libdefaults]
udp_preference_limit = 1
This will force TCP. AD tickets are always large.
Change in krb5,.conf:
admin_server = dc-hbt-01.example.internal
to
admin_server = dc-hbt-01.example.internal:749
(Make sure it can find the password change service.)
Other thing:
Are both dc-hbt-01.example.internal and dc-hbt-02.example.internal running?
If none of the above help, Wireshark trace (i.e. tcpdump) might help.
This is most likely not your problem, but do you need DES?
I see the krb5.conf has allow_weak_crypto = true.
ldap_set_supportedEncryptionTypes: DEE dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL old=7 new=28
will set msDS_supportedEncryptionTypes to use RC4 and AES-128 and AES-256
The msktutil --enctypes option can over ride this.
> It looks like it can not change the password in AD.
> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
The error text is sort of misleading. There was a bug in MIT Kerberos
1.9 that causes this function to fail in certain AD scenarios. The
client sends a TGS-REQ is for "kadmin/changepw", but AD responds with
a TGT. It's fixed by
https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a...,
but this patch is not in RHEL 6.2's kerberos libraries.
If you have a support contract with Red Hat and you are experiencing
this issue in your environment, I encourage you to file a support
request with them to get this patch into RHEL 6's krb5 package.
>> It looks like it can not change the password in AD.
>> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
> The error text is sort of misleading. There was a bug in MIT Kerberos
> 1.9 that causes this function to fail in certain AD scenarios. The
> client sends a TGS-REQ is for "kadmin/changepw", but AD responds with
> a TGT. It's fixed by
> https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a...,
> but this patch is not in RHEL 6.2's kerberos libraries.
> If you have a support contract with Red Hat and you are experiencing
> this issue in your environment, I encourage you to file a support
> request with them to get this patch into RHEL 6's krb5 package.
Ken,
I was responding to the original message, as one of the early
developers of msktutil, I did not see that you had found the bug
yesterday.
But good to know there is a fix.
> - Ken
--
Douglas E. Engert <DEEng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
On Thu, Apr 5, 2012 at 10:41 AM, Douglas E. Engert <deeng...@anl.gov> wrote:
> I was responding to the original message, as one of the early
> developers of msktutil, I did not see that you had found the bug
> yesterday.
> But good to know there is a fix.
Whoops, I didn't meant to imply you yourself should file a ticket with
RH. I should have phrased "if you are experiencing this in your
environment" to be "if anyone is experiencing this in his or her
environment".
How you got apply the patch to Centos source package?
I'm trying to build a RPM package (I want apply the patch) from this
official RH 6.2 SRPM package: krb5-1.9-22.el6_2.1.src.rpm
I have installed this package:
rpm -ivh krb5-1.9-22.el6_2.1.src.rpm
And then, I run:
rpmbuild -ba ~/rpmbuild/SPECS
/krb5.spec error: Fallo al construir las dependencias: libss-devel se
necesita para krb5-1.9-22.el6.1.x86_64 texinfo-tex se necesita para
krb5-1.9-22.el6.1.x86_64
But the required packages are not availables in official RH 6.2
repository, so I can't resolve the dependencies...
Note that this error message is showed without any modification... Its
weird, I don't understand how RH can offer a SRPM package that fails for
build.
> With great help from ktdreyer in the irc channel i have sorted out the
> problem.
> It seems that centos 6 has the a version 1.9.22 which is broken for
> TGT
> referrals that AD hands out. I was compiling mstutil to 1.9.22
> instead
> of 1.10.1 by accident
> git patch 1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a fixes this and when
> applied to the srpm resolves the issue.
> I will be working on getting it logged to redhat when i have a chance
> next week.
> Simon
> On Thu, 2012-04-05 at 07:36 +1000, Simon Dwyer wrote:
>> Hi All,
>> I have been banging my head against this for a few weeks now.
>> I am trying to use squid with kerberos and so i need to get my
>> machine
>> into the Active Directory domain.
