Mchugh, Sean wrote: > Looking for some advice on how to proceed or if anyone has had the same > issue; google hasn't come to my rescue yet: > > > Our Active Directory 2003 domain is called: GGG.LOCAL > Our userprincipalnames are setup to match our smtp address, in this case > [email protected] > > I can kinit successfully with: [email protected]
Correct, Kerberos principals are case sensitive, (but Windows and DNS are insensitive.) So you realm name is GGG.LOCAL so must be upper case. > But not with: [email protected] _or_ [email protected] ; error message Won't work, as there is no realm called grey.com (or GRAY.COM) [email protected] might get further, but I bet the Windows returns [email protected] and kinit gets confused, as ggg.local != GGG.LOCAL > is: "kinit(v5): KRB5 error code 68 while getting initial credentials" > > Running Centos 5.2 with the following krb5 packages installed: > > krb5-libs-1.6.1-31.el5_3.3 > pam_krb5-2.2.14-1.el5_2.1 > pam_krb5-2.2.14-1.el5_2.1 > krb5-libs-1.6.1-31.el5_3.3 > krb5-workstation-1.6.1-31.el5_3.3 > krb5-devel-1.6.1-31.el5_3.3 > > > Following SRV record was manually added: _kerberos._tcp.grey.com 0 100 88 > dc.ggg.local. The above does not look correct. Even if the krb libs find via DNS the dc.ggg.local KDC, the KDC does not support the realm grey.com: only GGG.LOCAL (or ggg.local) > Following is /etc/krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = GGG.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [domain_realm] > .ggg.grey.global = GGG.LOCAL > ggg.grey.global = GGG.LOCAL > .grey.com = GGG.LOCAL > grey.com = GGG.LOCAL > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > validate = true > } > So use uppercase realm names with Kerberos apps. > > Sean McHugh > VP, Dir. of Global Services > Grey Group > p. 212-546-1926 > m. [email protected] > c. 917-916-8644 > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
