Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Kerberos Authentication error
Top Forums UNIX for Dummies Questions & Answers Kerberos Authentication error Post 302905456 by Tomlight on Wednesday 11th of June 2014 04:13:11 PM
Old 06-11-2014
Kerberos Authentication error
Hi ,

I am trying to authenticate my id on client server with Kerberos and receiving below error


kinit rpagadala@BDC.soft.net
kinit: Cannot contact any KDC for realm 'BDC.soft.net' while getting initial credentials

Please find krb5.conf on the client server configuration which is same as the Kerberos master server .

Code:
 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = BDC.soft.net ( this is just an example ) 
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes
[realms]
 BDC.soft.net = {
  kdc = server1:88
  kdc = server2:88
  admin_server = server1:749
  default_domain = soft.net
 }
[domain_realm]
 .soft.net = BDC.soft.net 
 soft.net = BDC.soft.net 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Kerberos Authentication from Application

Hi, We've configured Kerberos to authenticate AIX 5.3 users with Active Directory and I now have to port an application written in C to the new security model. Currently, our users can login as normal and running a "klist" command reveals that they have been successfully granted a ticket. ... (2 Replies)
Discussion started by: phykell
2 Replies

2. Linux

IPSec using racoon w/ kerberos authentication

Hi, Anyone can point me a good link to setup IPSec using racoon IKE which uses gssapi_krb authentication method? I have a debain linux box and Windows 2003R2 system, and I want them to communicate using IPSec. Thanks, Emily. (0 Replies)
Discussion started by: egyfan
0 Replies

3. Programming

Kerberos Authentication c/c++

I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api. Can anyone point me in the right... (0 Replies)
Discussion started by: mshindo
0 Replies

4. Red Hat

PAM configuration: Kerberos authentication and NIS authorization problem

Hi, I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS. The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
Discussion started by: geek.ksa
0 Replies

5. AIX

SSH and kerberos authentication problem AIX 5.3

I've configured an AIX 5.3 client to use our Windows AD for user authentication via Kerberos. When I try to ssh to the server using the AD credentials, I eventually get access but not after getting prompted for a password 3 times (which doesn't work) followed by an accepted login on the 4th... (3 Replies)
Discussion started by: jmroderick
3 Replies

6. Solaris

Rpcinfo: can't contact portmapper: RPC: Authentication error; why = Failed (unspecified error)

I have two servers with a fresh install of Solaris 11, and having problems when doing rpcinfo between them. There is no firewall involved, so everything should theoretically be getting through. Does anyone have any ideas? I did a lot of Google searches, and haven't found a working solution yet. ... (2 Replies)
Discussion started by: christr
2 Replies

7. Shell Programming and Scripting

How to automatically store/cache password for kerberos authentication

Hi All, I am currently writing script to get the details for lot of hosts from jump server. Means each and every time it will ssh to the host and get the information. To achieve that I need to automatically accept the password from Jump server to that main hosts. We are using kerberos password... (6 Replies)
Discussion started by: kamauv234
6 Replies

8. Shell Programming and Scripting

PERL and Kerberos authentication

I am installing Authen::Krb5::Easy and during make test I am getting the follwing error : kinit not ok 2 error was: could not get initial credentials: Cannot contact any KDC for requested realm we are stroring krb5.conf in diff location ( not in /etc/krb5.conf) , but, PERL is... (1 Reply)
Discussion started by: talashil
1 Replies

9. UNIX for Dummies Questions & Answers

Kerberos Utility Error Message

Hello All, I have below piece of code executing via shell script but for some reason even if the flag is set to KERBEROS_FLAG="N" It displays an message at the end of script execution. It should not call /usr/bin/kdestroy but looks like it is happening and this happens only for one application id... (4 Replies)
Discussion started by: Ariean
4 Replies

LEARN ABOUT REDHAT

pam_krb5

pam_krb5(5)						   System Administrator's Manual					       pam_krb5(5)

NAME

       pam_krb5 - Kerberos 5 authentication

DESCRIPTION

       pam_krb5.so  uses a portion of krb5.conf to get its configuration information.  You should read the krb5.conf(5) man page before continuing
       here.  The module expects its configuration information to be in the pam subsection of the appdefaults section of the krb5.conf	configura-
       tion file (for backward compatibility, the pam section is also checked for the same directives).

DIRECTIVES

       debug=[true|false]
	      turns on debugging via syslog(3).

       addressless=[true|false]
	      disables	the checking of the address in the ticket. Allows the ticket to be used from behind NAT firewalls, or on machines whose IP
	      address changes regularly.

       banner=Kerberos
	    specifies what kind of password the module claims to be changing when called to change passwords.  The default is Kerberos 5.

       ccache_dir=/tmp
	    specifies the directory to place credential cache files in.

       forwardable=[true|false]
	    controls whether or not credentials are forwardable.  If not specified, they are.

       hosts=hostnames
	    specifies which other hosts credentials obtained by pam_krb5 will be good on.  If your host is behind a firewall, you should  add  the
	    IP address or name that the KDC sees it as to this list.

       initial_timemout
	    specifies the number of seconds to wait for the first KDC to respond, before attempting incremental backoff.

       keytab=/etc/krb5.keytab
	    specifies the name of a keytab file to find a key for the required_tgs in, for use in validating TGTs.

       krb4_convert=[true|false]
	    controls  whether or not pam_krb5 tries to get Kerberos IV credentials from the KDC (or using the krb524d service on the KDC) and cre-
	    ate ticket files with them.  Unless you've converted everything on your network over to use Kerberos 5, you'll want to leave this  set
	    to true.  Note that this requires valid Kerberos IV configuration data to be present in /etc/krb.conf and /etc/krb.realms.

       max_timeout=30
	    specifies  the  maximum  amount of time to spend in attempting to get a reply from the KDCs, in seconds. This in effect determines the
	    amount of time before PAM tries the next authentication scheme, if the network is not available.

       minimum_uid=0
	    specifies the minimum UID of users being authenticated.  If a user with a UID  less  than  this  value  attempts  authentication,  the
	    request will be ignored.

       proxiable=[true|false]
	    controls whether or not credentials are proxiable.	If not specified, they are.

       renew_lifetime=36000
	    default renewable lifetime.  This specifies how much time you have after getting credentials to renew them.

       required_tgs=[service]
	    specifies  a  principal  for which a user must be able to get a session key for for the purpose of verifying that the TGT has not been
	    forged.  The key is decrypted using a copy of the service's key stored in a local keytab file.  This is the only  certain  way  to	be
	    absolutely sure the TGT hasn't been forged.  The default is host@hostname.

       ticket_lifetime=36000
	    default credential lifetime.

       timeout_shift
	    specifies the number of bits left to shift after each timeout, in implementing the incremental backoff in talking to the KDCs.

       validate=[true|false]
	    specifies whether or not to attempt validation of the TGT.	The default is false.

EXAMPLE

       [appdefaults]
	 pam = {
	   debug = true
	   ticket_lifetime = 36000
	   renew_lifetime = 36000
	   forwardable = true
	   krb4_convert = true
	   hosts = thermo.example.edu alf.example.edu
	   validate = true
	   required_tgs = host/thermo.example.edu
	   ccache_dir = /var/tmp
	 }

FILES

       /etc/krb5.conf

SEE ALSO

       pam_krb5(8)

BUGS

       Probably, but let's hope not.  If you find any, please email the author.

AUTHOR

       Nalin Dahyabhai <nalin@redhat.com>

Red Hat Linux							    2002/02/15							       pam_krb5(5)
All times are GMT -4. The time now is 04:20 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy