On 21 January 2015 01:04:09 CET, Thomas Schweikle <[email protected]> wrote: >Hi! > >I am trying to integrate an OpenIndiana 5.11 oi_151a9 into an AD >(Windows 2008) domain using kclient: > ># kclient -T ms_ad > >Starting client setup > >--------------------------------------------------- > >Setting up /etc/krb5/krb5.conf. > >Attempting to join 'CLIENT' to the 'DOMAIN' domain. > >Password for Administrator@DOMAIN: >kinit(v5): Incorrect net address while getting initial credentials >Could not authenticate Administrator@DOMAIN. Exiting. >--------------------------------------------------- >Setup FAILED. > >If trying kinit with Administrator: > ># kinit Administrator >Password for Administrator@DOMAIN: >[email protected]:~# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: Administrator@DOMAIN > >Valid starting Expires Service principal >21.01.15 00:53:37 21.01.15 10:53:37 krbtgt/DOMAIN@DOMAIN > renew until 28.01.15 00:53:37 > >So what is the difference here? If using kinit alone it works, while >kclient doesn't. Any idea what to do to make kclient work? > >Here is /etc/krb5/krb5.conf: >[libdefaults] > default_realm = DOMAIN > krb4_get_tickets=no > allow_weak_crypto=true > dns_lookup_kdc = false > dns_lookup_realm = false > forwardable = true > proxiable = true > kdc_timesync = 1 > debug = false > >[realms] > DOMAIN = { > acl_file = /var/lib/heimdal-kdc/kadmind.acl > kdc = dc-master.domain > admin_server = dc-master.domain > kpasswd_server = dc-master.domain > default_domain = domain > } > >[domain_realm] > .domain = DOMAIN > domain = DOMAIN > >[logging] > default = FILE:/var/krb5/kdc.log > kdc = FILE:/var/krb5/kdc.log > kdc_rotate = { > period = 1d > versions = 10 > } > >[appdefaults] > kinit = { > proxyable = true > renewable = true > forwardable= true > } > >Name resolution is working in both directions: ># host nc405-muc >nc405-muc.domain has address 10.160.2.125 ># host 10.160.2.125 >125.2.160.10.in-addr.arpa domain name pointer nc405-muc.domain. > >The domain controller is resolvable too: ># host dc-master >dc-master.domain has address 10.10.1.33 > >Hostname ist set: ># hostname >nc401-muc.domain > >LDAP isn't configured jet, since it needs GSSAPI to allow access and >this needs kerberos working. >Any idea what I have to change to make it work? > >PS: its an Univention UCS4.0 acting as AD -- if this helps anyone.
OTOH, it looks inconsistent that you use textual hostnames and dns_resolution flags == false. Do you resolve via /etc/hosts or some other non-dns mechanism? HTH, Jim -- Typos courtesy of K-9 Mail on my Samsung Android _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
