cannot get msktutil

Douglas E. Engert deengert at anl.gov
Thu Apr 5 10:20:58 EDT 2012 


On 4/4/2012 4:36 PM, Simon Dwyer wrote:
> Hi All,
>
> I have been banging my head against this for a few weeks now.
>
> I am trying to use squid with kerberos and so i need to get my machine
> into the Active Directory domain.
>
> My config follows: http://pastebin.com/PNTwGKLf
>
> The output for when i run msktutil: http://pastebin.com/aQQavMJd

It looks like it can not change the password in AD.
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)

Did dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL get added to AD?
if not, does asdwyer at EXAMPLE.INTERNAL have admin writes in AD to create computer accounts?

Try adding in krb5.conf [libdefaults]
   udp_preference_limit = 1
This will force TCP. AD tickets are always large.

Change in krb5,.conf:
   admin_server = dc-hbt-01.example.internal
to
  admin_server = dc-hbt-01.example.internal:749

(Make sure it can find the password change service.)

Other thing:
  Are both dc-hbt-01.example.internal and dc-hbt-02.example.internal running?

If none of the above help, Wireshark trace (i.e. tcpdump) might help.

This is most likely not your problem, but do you need DES?
I see the krb5.conf has allow_weak_crypto = true.
  ldap_set_supportedEncryptionTypes: DEE dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL old=7 new=28
will set msDS_supportedEncryptionTypes to use RC4 and AES-128 and AES-256
The msktutil --enctypes option can over ride this.

http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx

>
> This is a fresh install of centos 6.2 with a self compiled version of
> krb 1.10.1 .
>
> I can change passwords with the kpassword command.
>
> I can upload the tcpdump to cloudshark if this would help.
>
> Cheers,
>
> Simon Dwyer
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list