Hi All, I am having a problem getting a fresh Centos 6.2 machine to join our AD domain.
I have installed a base machine with minimal server profile in centos. Its running the krb5-workstation that comes with centos krb5-workstation-1.9-22.el6_2.1.x86_64. We are running a windows 2008 r2 AD cluster with windows 7 and windows xp clients. Long term is to get this working for squid authentication. klist: [root@squid-k net]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/08/12 14:56:01 03/09/12 00:56:03 krbtgt/[email protected] renew until 03/15/12 14:56:01 Setup krb5.conf with: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = OURCOMPANY.EXAMPLE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] OURCOMPANY.EXAMPLE = { kdc = dc-hbt-01.ourcompany.example kdc = dc-hbt-02.ourcompany.example admin_server = dc-hbt-01.ourcompany.example } [domain_realm] .ourcompany.example = OURCOMPANY.EXAMPLE ourcompany.example = OURCOMPANY.EXAMPLE When i run msktutil: [root@squid-k ~]# msktutil -c -b "CN=COMPUTERS" -s HTTP/squid-k.ourcompany.example -k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn HTTP/squid-k.ourcompany.example --server dc-hbt-01.ourcompany.example --verbose -- init_password: Wiping the computer password structure -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RCR88x -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: SQUIDPROXY-K$ -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/squid-k.ourcompany.example from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc-hbt-01.ourcompany.example try_tls=YES -- ldap_connect: Connecting to LDAP server: dc-hbt-01.ourcompany.example try_tls=NO SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=OURCOMPANY,dc=EXAMPLE -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 74 -- ldap_check_account: Checking that a computer account for SQUIDPROXY-K$ exists -- ldap_check_account: Computer account not found, create the account No computer account for SQUIDPROXY-K found, creating a new one. dn: cn=SQUIDPROXY-K,CN=COMPUTERS,dc=OURCOMPANY,dc=EXAMPLE -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to squid-k.ourcompany.example -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/[email protected] -- ldap_set_supportedEncryptionTypes: DEE dn=cn=SQUIDPROXY-K,CN=COMPUTERS,dc=OURCOMPANY,dc=EXAMPLE old=7 new=28 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 0 Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm) Error: set_password failed -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
