Kerberos (MIT) clients cannot find administrative server through DNS.
Hi guys,
This problem has taken me the whole Sunday and the only thing I've got left before start kicking my computer equipment is to ask you guys for help. I have a problem on my client side of Kerberos. Basically, none of my clients is able to make a connection to kadmin using DNS SRV-records. Only if I use the relevant directives in the krb5.conf files - it works. The Kerberos-related part of my DNS zone looks like this: Code:
Please note, the $ORIGIN is my-domain.xx If I configure the basic krb5.conf file on one of my clients, containing only: Code:
[libdefaults] When writing the command: kinit mhead/admin It finds the KDC server. After typing in the password, after the successful authentication, I write: kadmin and get the following error: Code:
Authenticating as principal mhead/admin@MY-DOMAIN.XX with password. If I add the [realm] stanza in the krb5.conf file containing Code:
[realms] The same problem happens on both virtual machines that I'm using as clients - a Debian and a CentOS, so it's not 'one-machine-problem-only'. Something is weird regarding the adm server. I mean, without [realms] stanza, the client does query the DNS properly for the KDC master - it can be tracked in the DNS logs and I mean, even logically - with no [realms] stanza - there is no other place than DNS where it can find this information. So, the actual authentication of the principal works. It's the kadmin-part that exits with the error message above. According to all manuals, books, guides I've read - this shouldn't be happening. The [libdefaults] with default_realm defined in krb5.conf in combination with proper DNS records, should be everything kerberos client needs. But apparently not. I don't remember having any problems like this before. This is the first time in several months a freshly install a KDC. I believe Kerberos packages did get updated few times since then. Could this be a bug of some kind introduced in never version of libs? I have the latest packages on centos 5.3. Thanks in advance. |
Heh. Now, after looking more closely the documentation @ MIT website, it actually appears that this is "normal" behaviour of the MIT Kerberos.
Quote:
Perhaps I'll switch to Heimdall instead. I got confirmation of a friend of mine that this already is implemented in that distribution. |
Kerberos (MIT) clients cannot find administrative server through DNS.
bash-4.1# kadmin -p root/admin
Authenticating as principal root/admin with password. kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface here is krb5.conf file bash-4.1# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTER.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow_weak_crypto = true [realm] TESTER.COM = { kdc = yog.com:88 admin_server = yog.com:749 } [domain_realm] .in.com = TESTER.COM in.com = TESTER.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb5_convert = false } i am getting error.please help |
All times are GMT -5. The time now is 03:15 PM. |