Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)

Simon Dwyer mail at simmyd.net
Wed Mar 7 23:38:17 EST 2012 

Hi All,

I am having a problem getting a fresh Centos 6.2 machine to join our AD
domain.

I have installed a base machine with minimal server profile in centos.

Its running the krb5-workstation that comes with centos
krb5-workstation-1.9-22.el6_2.1.x86_64.

We are running a windows 2008 r2 AD cluster with windows 7 and windows
xp clients.

Long term is to get this working for squid authentication.


klist:

[root at squid-k net]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: asdwyer at OURCOMPANY.EXAMPLE

Valid starting     Expires            Service principal
03/08/12 14:56:01  03/09/12 00:56:03
krbtgt/OURCOMPANY.EXAMPLE at OURCOMPANY.EXAMPLE
	renew until 03/15/12 14:56:01

Setup krb5.conf with:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = OURCOMPANY.EXAMPLE
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 OURCOMPANY.EXAMPLE = {
  kdc = dc-hbt-01.ourcompany.example
  kdc = dc-hbt-02.ourcompany.example
  admin_server = dc-hbt-01.ourcompany.example
 }

[domain_realm]
 .ourcompany.example = OURCOMPANY.EXAMPLE
 ourcompany.example = OURCOMPANY.EXAMPLE

When i run msktutil:

[root at squid-k ~]# msktutil -c -b "CN=COMPUTERS" -s
HTTP/squid-k.ourcompany.example -k /etc/squid/PROXY.keytab
--computer-name SQUIDPROXY-K --upn HTTP/squid-k.ourcompany.example
--server dc-hbt-01.ourcompany.example --verbose
 -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf
file: /tmp/.msktkrb5.conf-RCR88x
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: SQUIDPROXY-K$
 -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for
host/squid-k.ourcompany.example from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with
password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server:
dc-hbt-01.ourcompany.example try_tls=YES
 -- ldap_connect: Connecting to LDAP server:
dc-hbt-01.ourcompany.example try_tls=NO
SASL/GSSAPI authentication started
SASL username: asdwyer at OURCOMPANY.EXAMPLE
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base:
dc=OURCOMPANY,dc=EXAMPLE
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/udandom = 74
 -- ldap_check_account: Checking that a computer account for
SQUIDPROXY-K$ exists
 -- ldap_check_account: Computer account not found, create the account

No computer account for SQUIDPROXY-K found, creating a new one.
dn: cn=SQUIDPROXY-K,CN=COMPUTERS,dc=OURCOMPANY,dc=EXAMPLE
 -- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName
to squid-k.ourcompany.example
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
userPrincipalName to HTTP/squid-k.ourcompany.example at OURCOMPANY.EXAMPLE
 -- ldap_set_supportedEncryptionTypes: DEE
dn=cn=SQUIDPROXY-K,CN=COMPUTERS,dc=OURCOMPANY,dc=EXAMPLE old=7 new=28

 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
msDs-supportedEncryptionTypes to 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed
0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 0
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for
requested realm)
Error: set_password failed
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

More information about the Kerberos mailing list