I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a
FreeIPA server running on it. I am trying to get a TGT from it, from my
Windows 7 Enterprise machine. I am able to easily interact with it from other
Linux hosts, but I am not having any luck from the windows one.

I have installed MIT Kerberos Tools for windows on the windows computer. I
also copied over the /etc/krb5.conf file from a Linux host that is able to
contact it. It contains the following:

  default_realm = ABC
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

  PCS = {
    kdc = ldap.abc:88
    master_kdc = ldap.abc:88
    admin_server = ldap.abc:749
    default_domain = abc
    pkinit_anchors = FILE:H:\Kerberos\ca.crt

  .abc = ABC
  abc = ABC

(Note that in the real file, I don't use "ABC" as the realm or domain but the
real value is something else).

I also copied over the ca.crt file and saved it to my windows machine, and
pointed the config file to it.

If I set the KRB5_CONFIG environment variable in a command prompt and run
`kinit username@ABC` (replacing username and ABC with my real username and
The real realm, obviously) I get only this inscrutable and undescriptive error:

    kinit: Invalid argument while getting initial credentials

I am wondering if it's a resolution issue brought on by proxying or something
related: To get to ldap.abc, I have to go through a proxy. Web browsers are
able to successfully navigate to it at https://ldap.abc but nslookup ldap.abc

Is this something that's even possible to do? Any pointers on where I should go
To look for documentation would be appreciated.


The views expressed are the author's and do not necessarily reflect the 
official position of General Dynamics or any of its subsidiaries or the 
organization providing Internet access.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to