Streamlining host principal keytab provisioning?
Russ Allbery
rra at stanford.edu
Tue May 1 18:47:26 EDT 2012
Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:
> Slowly I managing to make some steps forward! :)...Now i got the remctld
> running,and i added the wallet configuration into the krb5.conf (client
> side). But when try to get a ticket I get the following error:
> $wallet -f keytab get keytab nfs/hostname.REALMNAME
> wallet: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Cannot contact any KDC for requested realm
This error message indicates that things are going wrong at the remctl
level. wallet is trying to get credentials for the wallet server, and
when doing so, it can't reach the KDC for the realm that it thinks the
wallet server is in.
This probably means that your domain_realm mapping for the wallet server
isn't correct, but may mean that you have problems reaching the KDC for
other reasons.
The default principal to which the wallet client will try to authenticate
is host/<hostname> where <hostname> is whatever you configured the wallet
server to be (--with-wallet-server on wallet's configure command or
configured in your krb5.conf file). You can try to get tickets for that
directly and duplicate the error with:
kvno host/<hostname>
kgetcred host/<hostname>
depending on what set of Kerberos tools you have installed. (The first is
MIT; the second, Heimdal).
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list