Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
AD KDC - msktutil - krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
732 views
Skip to first unread message
PieterB
Jan 11, 2012, 1:44:21 AM1/11/12
to
Hi,
I have this error (see subject) when using msktutil. Any idea what's
wrong with my setup?
(I've replaced hostnames and OU structure)
/etc/krb5.conf (part)
==========
[libdefaults]
default_realm = EXAMPLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.ORG = {
default_domain = msnet.railb.be
kdc = ictdc01.example.org
admin_server = ictdc01.example.org
admin_keytab = FILE:/etc/krb5.keytab
}
[domain_realm]
.example.org = EXAMPLE.ORG
example.org = EXAMPLE.ORG
msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 --
verbose
-- init_password: Wiping the computer password structure
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/
krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /
tmp/.msktkrb5.conf-fbUui1
-- reload: Reloading Kerberos Context
-- get_short_hostname: Determined short hostname: tstweb01
-- finalize_exec: SAM Account Name is: tstweb01$
-- try_machine_keytab_princ: Trying to authenticate for tstweb01$
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/
tstweb01.example.org from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for tstweb01$ with
password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: ictdc01 try_tls=YES
-- ldap_connect: Connecting to LDAP server: ictdc01 try_tls=NO
SASL/GSSAPI authentication started
SASL username: sys_ms...@EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=ORG
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 86
-- ldap_check_account: Checking that a computer account for tstweb01$
exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found dNSHostName = tstweb01.example.org
-- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
-- ldap_set_supportedEncryptionTypes: No need to change msDs-
supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit
at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed
0x1000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 0
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC
for requested realm)
Error: set_password failed
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
I have this error (see subject) when using msktutil. Any idea what's
wrong with my setup?
(I've replaced hostnames and OU structure)
/etc/krb5.conf (part)
==========
[libdefaults]
default_realm = EXAMPLE.ORG
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.ORG = {
default_domain = msnet.railb.be
kdc = ictdc01.example.org
admin_server = ictdc01.example.org
admin_keytab = FILE:/etc/krb5.keytab
}
[domain_realm]
.example.org = EXAMPLE.ORG
example.org = EXAMPLE.ORG
msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 --
verbose
-- init_password: Wiping the computer password structure
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/
krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /
tmp/.msktkrb5.conf-fbUui1
-- reload: Reloading Kerberos Context
-- get_short_hostname: Determined short hostname: tstweb01
-- finalize_exec: SAM Account Name is: tstweb01$
-- try_machine_keytab_princ: Trying to authenticate for tstweb01$
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/
tstweb01.example.org from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for tstweb01$ with
password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: ictdc01 try_tls=YES
-- ldap_connect: Connecting to LDAP server: ictdc01 try_tls=NO
SASL/GSSAPI authentication started
SASL username: sys_ms...@EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
-- ldap_get_base_dn: Determining default LDAP base: dc=EXAMPLE,dc=ORG
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/udandom = 86
-- ldap_check_account: Checking that a computer account for tstweb01$
exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found dNSHostName = tstweb01.example.org
-- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
-- ldap_set_supportedEncryptionTypes: No need to change msDs-
supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit
at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed
0x1000
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 0
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC
for requested realm)
Error: set_password failed
-- ~msktutil_exec: Destroying msktutil_exec
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
-- ~KRB5Context: Destroying Kerberos Context
PieterB
Jan 12, 2012, 8:28:05 AM1/12/12
to
On Jan 11, 7:44 am, PieterB <pieter.ba...@gmail.com> wrote:
>
Also related to the MIT Kerberos version 1.9.x...
Ok, it's working on Red Hat Enterprise Linux (1.6)
>
Also related to the MIT Kerberos version 1.9.x...
Ok, it's working on Red Hat Enterprise Linux (1.6)
0 new messages