Ubuntu Kerberos and Active Directory

Russ Allbery rra at stanford.edu
Fri Sep 8 22:10:38 EDT 2006


Rohit Mehta <rohitm at engr.uconn.edu> writes:

>> It's attempting to verify the credentials against a host keytab and can't
>> find the Kerberos realm for the host.  You can probably fix this by adding
>> an appropriate mapping to the [domain_realm] section of your krb5.conf.

> The domain_realm section of my krb5.conf looks like this:
> [domain_realm]
>     .ad.engr.uconn.edu   = AD.ENGR.UCONN.EDU
>     ad.engr.uconn.edu    = AD.ENGR.UCONN.EDU

> AD.ENGR.UCONN.EDU should be my kerberos realm.

> Perhaps the fact that I have a different domain (for NIS) in 
> /etc/domainname creates a problem?

No, that won't matter.

What's failing is this call:

   krb5_sname_to_principal(context, NULL, *service, KRB5_NT_SRV_HST, &princ);

with a service of "host".  I don't understand why this call would be
failing with that error message when kinit is otherwise finding the right
realm.

> Perhaps it would be worthwhile to try identical steps in Debian Sarge?
> (I'm not really sure how stable Ubuntu is, but I like that all my
> hardware works in it with no fighting!)

I doubt you'll get any different behavior in Debian sarge.  In Debian
etch, this function isn't used any more; instead, the native Kerberos
library function that does the same thing is called.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list