error : kinit(v5) : KRB5 error code 52 while getting initial credentials

Douglas E. Engert deengert at anl.gov
Thu Mar 13 10:31:04 EDT 2008


As Kevin said yesterday, Kerberos 1.2.7 will not work well with Windows.
It does not support TCP, only UDP. That is the error 52 problem.

Upgrade the Kerberos on the server.


sunil chandran wrote:
> Hello Douglas,
>  
> 
>  Let me confirm:
> 
>                                                                 Sun
> 
>                                                                   |
> 
>                                                 Co.yy                   
> xx.com <http://xx.com>
> 
>                                                   |  
>                               |
> 
>                                        Test, ..., ...                    
> pilot, ..., ...
> 
> In this XX.COM <http://XX.COM> is implemented in Windows Domain 
> Controller and KDC is existing here.
> 
> CO.YY is implemented using BIND for DNS. No KDC is present here. Now 
> here my machine is a test server. I need to get a ticket for my test 
> server from KDC which is in other domain XX.COM <http://XX.COM>. This is 
> to check whether my keytab is successfull and whether KDC sends correct 
> tickets or not. SO i did a kinit from my server to get a ticket from KDC.
> 
>  
> 
> ktpass is a Windows command. ------Yes
> 
> What system is the KDC?   (Windows )
> 
> What system is the server? Linux
> 
> What system is the client? ---the machine i am using to get ticket from 
> KDC is the server itself . I need to install my keytab for server and 
> then request for a ticket from KDC to check if its successsfull and 
> whether KDC sends correct tickets or not.
> 
> Here i am facing the problem when requesting for ticket from KDC for my 
> server. I am checking whether keytab is installed and whether KDC send 
> correct tickets or not.
> 
> After this scenario only , i will go for a client which will be a 
> windows client.
> 
> So please help me understand my problem
> 
> error : kinit(v5) : KRB5 error code 52 while getting initial credentials
> 
> You have told about going for new version of Kerberos.
> 
> Let me confirm :
> 
> I tried a pilot server in KDC domain XX.COM <http://XX.COM>. i got a 
> keytab and installed in the pilot server. Then i did a kinit for request 
> ticket and it was successful. I checked the ticket with my keytab 
> details. It was a correct ticket. This pilot server in xx.com 
> <http://xx.com> domain is using krb1.2.7.
> 
> So it is successful in the server of same domain (pilot.xx.com 
> <http://pilot.xx.com>)
> 
> But it gives an error when i try to do it in a server with keytab and 
> the server exists in another domain and no KDC in it , mapping is done 
> in krb5.conf in this server. (test.co.yy)
> 
>  
> 
> Regards
> Sunil C
> 
> 
>  
> On Wed, Mar 12, 2008 at 11:00 PM, Douglas E. Engert <deengert at anl.gov 
> <mailto:deengert at anl.gov>> wrote:
> 
> 
> 
>     Sunil Chandrasekharan wrote:
>      > Hello all,
>      >  i am Sunil C. i have a domain named xx.com <http://xx.com/>
>     which has a KDC.
>      >  i also have a domain co.yy where my server is. there is no KDC
>     in it.
>      >  users are in xx.com <http://xx.com/> domain. but my servers are
>     in (co.yy) domain.
> 
>     Windows domain or DNS domain?
> 
>      > i had set up a test scenario with a user and a server in domain
>      > (xx.com <http://xx.com/>).
>      > since KDc was setup i got ticket and was able to authenticate well
>      > using kerberos.
>      > my issue is that all my production servers are in domain (co.yy)
>     which
>      > doesnt have a KDC.
>      > i want to authenticate and use the server services in that domain.
>      > setting up KDC is not feasible in both domains for me.
>      >  now i have done some configuration in krb5.conf file on my server
>      > (test.co.yy)
> 
>     This must be in the krb5.conf on the client. It maps a hostname to a
>     realm.
> 
>      > [domain_realm]
>      > xx.com <http://xx.com/> = XX.COM <http://xx.com/>
>      > .xx.com = XX.COM <http://xx.com/>
>      > co.yy = XX.COM <http://xx.com/>
>      > .co.yy = XX.COM <http://xx.com/>
>      > this shows that my domain co.yy which doesnnot have a KDC , i have
>      > mapped it to the realm XX.COM <http://xx.com/> .
>      >
>      >  now i have some issues.
>      > 1) i tried to get a keytab from the KDC of XX.COM
>     <http://xx.com/> ( my server in
>      > co.yy)
>      >  > ktpass -princ HTTP/test.co.yy at XX.COM
>     <mailto:HTTP/test.co.yy at XX.COM>
> 
>     ktpass is a Windows command.
>     What system is the KDC?   (Windows? Linux? other?)
>     What system is the server?
>     What system is the client?
> 
>      > 2) i somehow managed to get a keytab . i copied into Apache
>     folder and
>      > executed the command.
>      >
>      > kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
>     <mailto:HTTP/test.co.yy at XX.COM>
>      > password: xxxx
>      >
>      > error : kinit(v5) : KRB5 error code 52 while getting initial
>      > credentials
>      >
>      >  Please help me understand what is this error..
>      >  is it some issue with domain mapping configuration in krb5.conf
>     file?
>      > i am using kerberos 1.2.7 version.
> 
>     If KDC, client, or server use Windows, get a newer version of Kerberos.
> 
> 
>      >
>      >  Thanks in advance
>      >
>      >  Sunil C
>      > ________________________________________________
>      > Kerberos mailing list           Kerberos at mit.edu
>     <mailto:Kerberos at mit.edu>
>      > https://mailman.mit.edu/mailman/listinfo/kerberos
>      >
>      >
> 
>     --
> 
>      Douglas E. Engert  <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
>      Argonne National Laboratory
>      9700 South Cass Avenue
>      Argonne, Illinois  60439
>      (630) 252-5444
> 
> 
> 
> 
> -- 
> Sunil

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list