KRB5 error code 52 while getting initial credentials

sunilcnair sunilcnair at hotmail.com
Wed Mar 12 02:05:44 EDT 2008


Hello all,

i am Sunil C. i have a domain named xx.com which has a KDC.
i also have a domain co.yy where my server is. there is no KDC in it. 

users are in xx.com domain.

but my servers are in (co.yy) domain.

i had set up a test scenario with a user and a server in domain (xx.com)
since KDc was setup i got ticket and was able to authenticate well using
kerberos.

my issue is that all my production servers are in domain (co.yy) which
doesnt have a KDC. i want to authenticate and use the server services in
that domain.
setting up KDC is not feasible in both domains for me.

now i have done some configuration in krb5.conf file on my server
(test.co.yy) 

[domain_realm]
xx.com = XX.COM
.xx.com = XX.COM
co.yy = XX.COM
.co.yy = XX.COM

this shows that my domain co.yy which doesnnot have a KDC , i have mapped it
to the realm XX.COM .

now i have some issues.

1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy)

> ktpass -princ HTTP/test.co.yy at XX.COM

2) i somehow managed to get a keytab .
i copied into Apache folder and executed the command.

kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
password: xxxx

error : kinit(v5) : KRB5 error code 52 while getting initial credentials

Please help me understand what is this erro.. is it some issue with domain
mapping configuration in krb5.conf file?  i am using kerberos 1.2.7 version.

Thanks

Sunil C

----------------------------


In article <mailman.115.1197917539.11331.kerberos at mit.edu>,
sunilcnair <sunilcnair at hotmail.com> wrote:

> This is Sunil here, i am working on the cross domain authentication using
> kerberos, i have
> two domains(xx.com) and(co.yy), and i am in a dilemma as to install 2KDC
> in
> both the domains or is it sufficient for the kdc to be installed in only
> one
> single domain, and register the other domain as just the user of the
> domain
> in which the kdc is installed.Also I窶囘 like to avoid cross realms
> scenario,because we should set up another KDC.(thats bit difficult)is
> there
> any other possibilities of using two domain for kerberos without having
> KDC
> on both the domains please do clear my doubt. Looking for an answer

Kerberos is basically indifferent to DNS domains, and
one Kerberos "realm" can certainly serve many DNS domains.
Application software may rely on DNS for realm information,
though - configuration files may specify realm/domain maps,
and Kerberos realm information can be published in special
DNS SRV and TXT records. If you have tried this and were
not able to make it work, check that the [domain_realm]
section of your configuration file includes the new domain.

Donn Cave, donn at u.washington.edu



________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



-- 
View this message in context: http://www.nabble.com/KRB5-error-code-52-while-getting-initial-credentials-tp15998090p15998090.html
Sent from the Kerberos - General mailing list archive at Nabble.com.





More information about the Kerberos mailing list