pam_krb5 can't locate my KDC

[sayali k]

Hi Michael,
  From what I know about Kerberos and the configurations for the same, ideally there is one more section which I feel should be included in the krb5.conf file. It is called the libdefaults section where we can specify the default values for some of the parameters like the domain name, ticket lifetime etc. The section looks something like this:
   
  [libdefaults]
        ticket_lifetime = 24000
        default_realm = MYDOMAIN.COM

  So you need to have 3 sections in your krb5.conf - libdefaults, realms and domain_realms.
   
  Normally they do provide a template for the Kerberos config file with the installation for every OS. 
  E.g. for AIX the default file looks as : 
   
  # krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
        default_realm = ___default_realm___
  [realms]
        ___default_realm___ = {
                kdc = ___master_kdc___
                ___slave_kdcs___
                admin_server = ___master_kdc___
        }
  [domain_realm]
        ___domain_mapping___
  [logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
  # How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
                  period = 1d
  # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
                  versions = 10
        }
  [appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
   
  This is the same for all the UNIX flavours. 
  Can you try adding the libdefaults section as well in the krb5.conf file?
   
  All the best,
  Regards,
  Sayali

Michael B Allen <mba2000 at ioplex.com> wrote:
  I was just trying pam_krb5 for kicks but it can't find my KDC. My
/etc/krb5.conf is just:

[realms]
WIN.NET = {
kdc = ts0.win.net
}

[domain_realm]
.foo.net = WIN.NET
foo.net = WIN.NET

I would think this should be sufficient no?

>From looking at a capture I can see it trying a TXT _kerberos.foo.net
lookup but even if I add a record for this with "WIN.NET" I see no
communication with the KDC.

Obviously I don't know what I'm doing. Can someone enlighten me?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


 		
---------------------------------
 The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider.