cannot kinit to AD realm using alternative dns name
Mchugh, Sean
SMchugh at grey.com
Thu May 7 20:02:06 EDT 2009
Looking for some advice on how to proceed or if anyone has had the same
issue; google hasn't come to my rescue yet:
Our Active Directory 2003 domain is called: GGG.LOCAL
Our userprincipalnames are setup to match our smtp address, in this case
username at grey.com
I can kinit successfully with: username at GGG.LOCAL
But not with: username at grey.com _or_ username at ggg.local ; error message
is: "kinit(v5): KRB5 error code 68 while getting initial credentials"
Running Centos 5.2 with the following krb5 packages installed:
krb5-libs-1.6.1-31.el5_3.3
pam_krb5-2.2.14-1.el5_2.1
pam_krb5-2.2.14-1.el5_2.1
krb5-libs-1.6.1-31.el5_3.3
krb5-workstation-1.6.1-31.el5_3.3
krb5-devel-1.6.1-31.el5_3.3
Following SRV record was manually added: _kerberos._tcp.grey.com 0 100
88 dc.ggg.local.
Following is /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = GGG.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.ggg.grey.global = GGG.LOCAL
ggg.grey.global = GGG.LOCAL
.grey.com = GGG.LOCAL
grey.com = GGG.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
validate = true
}
Sean McHugh
VP, Dir. of Global Services
Grey Group
p. 212-546-1926
m. smchugh at grey.com
c. 917-916-8644
More information about the Kerberos
mailing list