cannot get msktutil

Douglas E. Engert deengert at anl.gov
Thu Apr 5 12:41:14 EDT 2012



On 4/5/2012 10:35 AM, Ken Dreyer wrote:
> On Thu, Apr 5, 2012 at 8:20 AM, Douglas E. Engert<deengert at anl.gov>  wrote:
>>
>> On 4/4/2012 4:36 PM, Simon Dwyer wrote:
>>> Hi All,
>>>
>>> I have been banging my head against this for a few weeks now.
>>>
>>> I am trying to use squid with kerberos and so i need to get my machine
>>> into the Active Directory domain.
>>>
>>> My config follows: http://pastebin.com/PNTwGKLf
>>>
>>> The output for when i run msktutil: http://pastebin.com/aQQavMJd
>>
>> It looks like it can not change the password in AD.
>> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
>
> The error text is sort of misleading. There was a bug in MIT Kerberos
> 1.9 that causes this function to fail in certain AD scenarios. The
> client sends a TGS-REQ is for "kadmin/changepw", but AD responds with
> a TGT. It's fixed by
> https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a,
> but this patch is not in RHEL 6.2's kerberos libraries.
>
> If you have a support contract with Red Hat and you are experiencing
> this issue in your environment, I encourage you to file a support
> request with them to get this patch into RHEL 6's krb5 package.

Ken,
I was responding to the original message, as one of the early
developers of msktutil, I did not see that you had found the bug
yesterday.

But good to know there is a fix.


>
> - Ken
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list