krb auth weirdness found out

Andrew Bartlett abartlet at
Fri Apr 3 01:28:39 GMT 2009

On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote:
> I have the answer (which turns out to be another question) after
> spending a couple of dreary days investigating why I get
> dcerpc_bind_auth_send() from openchange (with specified creds) causing
> errors like this:
> kinit for Sam at GALAXY failed (Cannot contact any KDC for requested realm:
> unable to reach any KDC in realm GALAXY)
> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
> requested realm
> Cannot reach a KDC we require to contact host at NOVA
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
> (when GALAXY is a domain value not a REALM value which should be
> galaxy.test.dbamsystems.local) and I have to wait for the time it takes
> to fail this before it continues with the NTML auth (which is what it
> should have been doing all along).

If GALAXY was in the krb5.conf as a realm, it would actually work
(strange, but true).

What we need is to provide a DC location plugin to Heimdal that does a
lookup for the DCs in that domain, and returns them as possible kerberos

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list