krb5 vs Windows trust relationships in AD
Garth T Kidd
garthk at gmail.com
Tue Nov 15 23:21:05 EST 2005
Interesting: if I change [libdefaults] default_realm = DOMAIN.COM,
then kinit -V user or kinit -V user at DOMAIN.COM causes Kerberos 5
traffic to the KDC. My new error message is:
kinit(v5): KDC reply did not match expectations while getting
initial credentials
... which I suspect is due to the lack of a machine account.
Now, how do I fire this via the trusting domain?
On 16/11/05, Garth T Kidd <garthk at gmail.com> wrote:
> G'day, everyone.
>
> I have a Fedora Core Linux box running kernel 2.6.11-1.1369_FC4smp,
> and I'm having trouble authenticating against my Windows domain.
>
> kinit -V user at DOMAIN.COM
>
> yields:
>
> kinit(v5): Cannot find KDC for requested realm while getting
> initial credentials
>
> ... which I've Googled a lot without much success. There are a lot of
> people asking questions, but not too many answers out there. Some
> bloke on the #samba channel suggested I try this list instead.
>
> When I run kinit I can see my box look up the SRV records for
> _kerberos._udp.DOMAIN.COM and _kerberos._tcp.DOMAIN.COM, but then it
> bombs. No other traffic heads out, in particular none to the hosts
> nominated under kdc and admin_server in the realm's entry in the
> [realms] section of /etc/krb5.conf.
>
> Setting dns_lookup_realm = false and dns_lookup_kdc = false doesn't
> seem to help.
>
> Any ideas?
>
> Where trust comes in: I can successfully authenticate against
> OTHERDOMAIN.AU which trusts DOMAIN.COM, but haven't been able to
> configure krb5 to authenticate DOMAIN.COM via OTHERDOMAIN.AU. If I
> could do so, that'd save me having to get a machine account in
> DOMAIN.COM.
>
> Regards,
> Garth.
>
More information about the krbdev
mailing list