error : kinit(v5) : KRB5 error code 52 while getting initial credentials
sunil chandran
sunilsushil at gmail.com
Thu Mar 13 03:34:29 EDT 2008
Hello Douglas,
Let me confirm:
Sun
|
Co.yy
xx.com
|
|
Test, ..., ... pilot,
..., ...
In this XX.COM is implemented in Windows Domain Controller and KDC is
existing here.
CO.YY is implemented using BIND for DNS. No KDC is present here. Now here my
machine is a test server. I need to get a ticket for my test server from KDC
which is in other domain XX.COM. This is to check whether my keytab is
successfull and whether KDC sends correct tickets or not. SO i did a kinit
from my server to get a ticket from KDC.
ktpass is a Windows command. ------Yes
What system is the KDC? (Windows )
What system is the server? Linux
What system is the client? ---the machine i am using to get ticket from KDC
is the server itself . I need to install my keytab for server and then
request for a ticket from KDC to check if its successsfull and whether KDC
sends correct tickets or not.
Here i am facing the problem when requesting for ticket from KDC for my
server. I am checking whether keytab is installed and whether KDC send
correct tickets or not.
After this scenario only , i will go for a client which will be a windows
client.
So please help me understand my problem
error : kinit(v5) : KRB5 error code 52 while getting initial credentials
You have told about going for new version of Kerberos.
Let me confirm :
I tried a pilot server in KDC domain XX.COM. i got a keytab and installed in
the pilot server. Then i did a kinit for request ticket and it was
successful. I checked the ticket with my keytab details. It was a correct
ticket. This pilot server in xx.com domain is using krb1.2.7.
So it is successful in the server of same domain (pilot.xx.com)
But it gives an error when i try to do it in a server with keytab and the
server exists in another domain and no KDC in it , mapping is done in
krb5.conf in this server. (test.co.yy)
Regards
Sunil C
On Wed, Mar 12, 2008 at 11:00 PM, Douglas E. Engert <deengert at anl.gov>
wrote:
>
>
> Sunil Chandrasekharan wrote:
> > Hello all,
> > i am Sunil C. i have a domain named xx.com which has a KDC.
> > i also have a domain co.yy where my server is. there is no KDC in it.
> > users are in xx.com domain. but my servers are in (co.yy) domain.
>
> Windows domain or DNS domain?
>
> > i had set up a test scenario with a user and a server in domain
> > (xx.com).
> > since KDc was setup i got ticket and was able to authenticate well
> > using kerberos.
> > my issue is that all my production servers are in domain (co.yy) which
> > doesnt have a KDC.
> > i want to authenticate and use the server services in that domain.
> > setting up KDC is not feasible in both domains for me.
> > now i have done some configuration in krb5.conf file on my server
> > (test.co.yy)
>
> This must be in the krb5.conf on the client. It maps a hostname to a
> realm.
>
> > [domain_realm]
> > xx.com = XX.COM <http://xx.com/>
> > .xx.com = XX.COM <http://xx.com/>
> > co.yy = XX.COM <http://xx.com/>
> > .co.yy = XX.COM <http://xx.com/>
> > this shows that my domain co.yy which doesnnot have a KDC , i have
> > mapped it to the realm XX.COM <http://xx.com/> .
> >
> > now i have some issues.
> > 1) i tried to get a keytab from the KDC of XX.COM <http://xx.com/> ( my
> server in
> > co.yy)
> > > ktpass -princ HTTP/test.co.yy at XX.COM
>
> ktpass is a Windows command.
> What system is the KDC? (Windows? Linux? other?)
> What system is the server?
> What system is the client?
>
> > 2) i somehow managed to get a keytab . i copied into Apache folder and
> > executed the command.
> >
> > kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
> > password: xxxx
> >
> > error : kinit(v5) : KRB5 error code 52 while getting initial
> > credentials
> >
> > Please help me understand what is this error..
> > is it some issue with domain mapping configuration in krb5.conf file?
> > i am using kerberos 1.2.7 version.
>
> If KDC, client, or server use Windows, get a newer version of Kerberos.
>
>
> >
> > Thanks in advance
> >
> > Sunil C
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
--
Sunil
More information about the Kerberos
mailing list