cannot get msktutil
Ken Dreyer
ktdreyer at ktdreyer.com
Thu Apr 5 11:35:37 EDT 2012
On Thu, Apr 5, 2012 at 8:20 AM, Douglas E. Engert <deengert at anl.gov> wrote:
>
> On 4/4/2012 4:36 PM, Simon Dwyer wrote:
>> Hi All,
>>
>> I have been banging my head against this for a few weeks now.
>>
>> I am trying to use squid with kerberos and so i need to get my machine
>> into the Active Directory domain.
>>
>> My config follows: http://pastebin.com/PNTwGKLf
>>
>> The output for when i run msktutil: http://pastebin.com/aQQavMJd
>
> It looks like it can not change the password in AD.
> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
The error text is sort of misleading. There was a bug in MIT Kerberos
1.9 that causes this function to fail in certain AD scenarios. The
client sends a TGS-REQ is for "kadmin/changepw", but AD responds with
a TGT. It's fixed by
https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a,
but this patch is not in RHEL 6.2's kerberos libraries.
If you have a support contract with Red Hat and you are experiencing
this issue in your environment, I encourage you to file a support
request with them to get this patch into RHEL 6's krb5 package.
- Ken
More information about the Kerberos
mailing list