Re: pam_krb5 can't locate my KDC

Sun, 20 Aug 2006 21:04:07 -0700 

Hi Michael,
  From what I know about Kerberos and the configurations for the same, ideally 
there is one more section which I feel should be included in the krb5.conf 
file. It is called the libdefaults section where we can specify the default 
values for some of the parameters like the domain name, ticket lifetime etc. 
The section looks something like this:
   
  [libdefaults]
        ticket_lifetime = 24000
        default_realm = MYDOMAIN.COM

  So you need to have 3 sections in your krb5.conf - libdefaults, realms and 
domain_realms.
   
  Normally they do provide a template for the Kerberos config file with the 
installation for every OS. 
  E.g. for AIX the default file looks as : 
   
  # krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
        default_realm = ___default_realm___
  [realms]
        ___default_realm___ = {
                kdc = ___master_kdc___
                ___slave_kdcs___
                admin_server = ___master_kdc___
        }
  [domain_realm]
        ___domain_mapping___
  [logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
  # How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
                  period = 1d
  # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
                  versions = 10
        }
  [appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
   
  This is the same for all the UNIX flavours. 
  Can you try adding the libdefaults section as well in the krb5.conf file?
   
  All the best,
  Regards,
  Sayali

Michael B Allen <[EMAIL PROTECTED]> wrote:
  I was just trying pam_krb5 for kicks but it can't find my KDC. My
/etc/krb5.conf is just:

[realms]
WIN.NET = {
kdc = ts0.win.net
}

[domain_realm]
.foo.net = WIN.NET
foo.net = WIN.NET

I would think this should be sufficient no?

>From looking at a capture I can see it trying a TXT _kerberos.foo.net
lookup but even if I add a record for this with "WIN.NET" I see no
communication with the KDC.

Obviously I don't know what I'm doing. Can someone enlighten me?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos


                
---------------------------------
 The all-new Yahoo! Mail goes wherever you go - free your email address from 
your Internet provider.
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to