krb auth weirdness found out
Andrew Bartlett
abartlet at samba.org
Fri Apr 3 01:28:39 GMT 2009
On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote:
> I have the answer (which turns out to be another question) after
> spending a couple of dreary days investigating why I get
> dcerpc_bind_auth_send() from openchange (with specified creds) causing
> errors like this:
>
> kinit for Sam at GALAXY failed (Cannot contact any KDC for requested realm:
> unable to reach any KDC in realm GALAXY)
> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
> requested realm
> Cannot reach a KDC we require to contact host at NOVA
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
>
> (when GALAXY is a domain value not a REALM value which should be
> galaxy.test.dbamsystems.local) and I have to wait for the time it takes
> to fail this before it continues with the NTML auth (which is what it
> should have been doing all along).
If GALAXY was in the krb5.conf as a realm, it would actually work
(strange, but true).
What we need is to provide a DC location plugin to Heimdal that does a
lookup for the DCs in that domain, and returns them as possible kerberos
KDCs.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/26fa5ea5/attachment.bin
More information about the samba-technical
mailing list