Haiden, Scott B. wrote:

I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a

FreeIPA server running on it. I am trying to get a TGT from it, from my

Windows 7 Enterprise machine. I am able to easily interact with it from

Linux hosts, but I am not having any luck from the windows one.

I have installed MIT Kerberos Tools for windows on the windows computer. I

also copied over the /etc/krb5.conf file from a Linux host that is able to

contact it. It contains the following:


   default_realm = ABC

   dns_lookup_realm = false

   dns_lookup_kdc = false

   rdns = false

   ticket_lifetime = 24h

   forwardable = yes


   PCS = {

     kdc = ldap.abc:88

     master_kdc = ldap.abc:88

     admin_server = ldap.abc:749

     default_domain = abc

     pkinit_anchors = FILE:H:\Kerberos\ca.crt



   .abc = ABC

   abc = ABC

(Note that in the real file, I don't use "ABC" as the realm or domain
but the

real value is something else).

I also copied over the ca.crt file and saved it to my windows machine, and

pointed the config file to it.

If I set the KRB5_CONFIG environment variable in a command prompt and run

`kinit username@ABC` (replacing username and ABC with my real username and

The real realm, obviously) I get only this inscrutable and undescriptive

     kinit: Invalid argument while getting initial credentials

I am wondering if it's a resolution issue brought on by proxying or

related: To get to ldap.abc, I have to go through a proxy. Web browsers are

able to successfully navigate to it at https://ldap.abc but nslookup


Is this something that’s even possible to do? Any pointers on where I
should go

To look for documentation would be appreciated.

It's been forever, probably 6 years, since I looked at MIT Kerberos on Windows, but I believe the client has some sort of auto-conifigure option where it will fetch the configuration from a server. The IPA server should be configured to provide this configuration (there were 3 files IIRC). You could try re-configuring using that.

Alternatively I'd start with /var/log/krb5kdc.log to see if it is getting to the KDC at all.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to