krb5_get_in_tkt_with_password with KRB5_REALM_CANT_RESOLVE error
Ken Raeburn
raeburn at MIT.EDU
Thu Sep 25 14:49:02 EDT 2008
On Sep 25, 2008, at 01:57, Stephen Ince wrote:
> I am getting a KRB5_REALM_CANT_RESOLVE error with the
> krb5_get_in_tkt_with_password call. I am
> trying to programmatically get a ticket from KDC server. I am using
> kfw 3.3.3 Mit kerberos toolkit.
>
> The userid is matt at FOOBAR.LOCAL.
>
> The host FOOBAR.LOCAL just has an entry in my C:\WINDOWS
> \SYSTEM32\DRIVERS\ETC\HOSTS.
>
> 69.127.38.76 apache.foobar.local apache
> 69.127.38.76 kdc.foobar.local kdc
The realm name and KDC host names are independent. You would need
information somewhere that says that kdc.foobar.local is the (or at
least a) KDC for the realm FOOBAR.LOCAL. In your Kerberos config file
(normally /etc/krb5.conf on UNIX, I think it's stored somewhere as
krb5.ini on Windows) you would have a section that looks like:
[realms]
FOOBAR.LOCAL = {
kdc = kdc.foobar.local
[...possibly other info...]
}
Or, if you have DNS service set up for foobar.local, you could add a
SRV record for the name "_kerberos._udp.foobar.local.", pointing to
port 88 (or whatever you select instead) on the KDC machine.
You may also want:
[domain_realm]
.foobar.local = FOOBAR.LOCAL
to tell client systems what realm name is used for servers in the
foobar.local domain. If you have a machine named "foobar.local" too,
you'd also add a "foobar.local = FOOBAR.LOCAL" line (without the
leading dot on the left-hand side, this time).
You could also get rid of the "kdc.foobar.local" host entry if you
want, and just use "apache.foobar.local" in the configuration data
described above. Kerberos doesn't really care about the specific form
of the KDC hostname, and we don't use any heuristics like assuming
"kdc."+$realm might be the name of a KDC.
Ken
More information about the krbdev
mailing list