Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Same config as server: kinit(v5): Improper format of Kerberos configuration file...

6,753 views

Skip to first unread message

Mathew Rowley

unread,

Dec 22, 2008, 12:06:33 PM12/22/08

to kerb...@mit.edu

I am trying to set up a server for kerberos authentication, but when I copy
my krb5.conf file over to the server, I get the following error while trying
to do a kinit:

kinit(v5): Improper format of Kerberos configuration file while initializing
Kerberos 5 library

The only difference I can see is the versions installed on the kerberos
server vs the secondary server. The kerberos server has 1.6.1, and the
machine I want to use krb based auth has 1.4.3. Will that cause this error
to occur? This is the krb5.conf file:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = IPA.COMCAST.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[realms]
IPA.COMCAST.COM = {
kdc = ipa01.security.lab.comcast.com:88
admin_server = ipa01.security.lab.comcast.com:749
default_domain = security.lab.comcast.com
database_module = openldap_ldapconf
}

[domain_realm]
.security.lab.comcast.com = IPA.COMCAST.COM
security.lab.comcast.com = IPA.COMCAST.COM

[dbdefaults]
ldap_kerberos_container_dn = cn=krbcontainer,o=comcast,dc=comcast,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbcontainer,o=comcast,dc=comcast,dc=com
ldap_kdc_dn = "cn=krbadmin,o=comcast,dc=comcast,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=krbadmin,o=comcast,dc=comcast,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/kerberos/service.keyfile
ldap_servers = ldap://ipa01.security.lab.comcast.com
ldap_conns_per_server = 5
}

--
MAT

Ken Raeburn

unread,

Dec 22, 2008, 1:26:52 PM12/22/08

to Mathew Rowley, kerb...@mit.edu

On Dec 22, 2008, at 12:06, Mathew Rowley wrote:
> I am trying to set up a server for kerberos authentication, but when
> I copy
> my krb5.conf file over to the server, I get the following error
> while trying
> to do a kinit:
>
> kinit(v5): Improper format of Kerberos configuration file while
> initializing
> Kerberos 5 library
>
> The only difference I can see is the versions installed on the
> kerberos
> server vs the secondary server. The kerberos server has 1.6.1, and
> the
> machine I want to use krb based auth has 1.4.3. Will that cause this
> error
> to occur? This is the krb5.conf file:

I didn't recall this on first reading your message, but after a little
experimentation it looks like we did have a minor syntax change
somewhere between 1.4.3 and 1.6.1 -- in the older code, a comment had
to have the "#" at the start of the line, and now there can be
whitespace in front of it. Just remove the leading whitespace from
those comment lines and all should be fine (though I think 1.4.3
predates the DAL and LDAP support, so you could just drop that section
altogether).

Ken

0 new messages