Incorrect Kerberos Auth Config File?

Chris cc lazyboy_2k at yahoo.com
Wed Nov 8 14:27:55 EST 2006


Thanks a lot for some pointers & suggestions, guys.  I finally get it to work.  The problem was that I enter incorrect ip of my domain controller, doh!!!  

Cool,
-Chris

"Douglas E. Engert" <deengert at anl.gov> wrote: 

Will Fiveash wrote:
> On Tue, Nov 07, 2006 at 05:14:20PM -0800, Chris cc wrote:
> 
>>Will,
>>
>>I use sol 10 + latest patches.  I have followed your suggestions and I'm still in the dark.  I'm also not able to ping KDC as you ask.  At this point, I have no ideas where else to troubleshoot.  Any helps are really appreciated.
>>
> 
> 
> I can only help so much (very busy).  You need to determine why the ping
> isn't working first.  I assume the network is configured on your Solaris
> box.  Is the KDC/AD up?  Are you sure of the KDC hostname?  Are you sure
> the IP address returned by nslookup for the KDC is correct?  Is your
> network routing properly configured?  Have you tried traceroute?  Are
> other systems able to ping the KDC?  If so, then this points to a
> network issue with the Solaris system.  If not, then look elsewhere.

Chris,

Have you talked to your AD administrators?

What is the Active Directory Domain Name?
(You have obfuscated the names in you e-mail that makes it harder to spot
the problems.)


See if they have updated DNS with the service records that point at the KDCs.
On Solaris 10: /usr/sbin/nslookup
On Windows in a cmd window: nslookup:
  set type=ANY
  _kerberos._tcp.WHATEVER.COM
  _kerberos._udp.WHATEVER.COM

These should show the service records with priority, weight, 88 for the port and
the hostname of the KDC/AD. The information could also be added
to the krb5.conf file if needed. But check if they updated DNS as they should have.

P.S. Why would you want to use telnet? In you example of using telnet,
you would be sending your password over the net in clear text. Why not ssh?

> 
> In regards to the kerberos config on Solaris make sure you read the
> Solaris 10 Security Administration guide at docs.sun.com very carefully.
> 

-- 

  Douglas E. Engert  
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


 
---------------------------------
Everyone is raving about the all-new Yahoo! Mail.


More information about the Kerberos mailing list