Help: kinit failed

vyepishov at eerc.kiev.ua vyepishov at eerc.kiev.ua
Sun Oct 30 01:16:42 PST 2005


Dear Sirs,

When I tried to add my FreeBSD machine as a domain member to ADS domain (with
Windows Server 2003 SP1 as a domain controller), the problem with Kerberos
authentication arised. I installed heimdal-0.6_3.2 package for Kerberos
authentication.

I used the following /etc/krb5.conf file:

[appdefaults]
encrypt = yes
forward = yes
forwardable = yes
no-addresses = yes
proxiable = yes
renew_lifetime = 70 years
ticket_lifetime = 70 years

[libdefaults]
default_realm = MY.REALM
dns_lookup_kdc = yes
dns_lookup_realm = yes
forwardable = yes
kdc_timesync = yes
proxiable = yes
renew_lifetime = 70 years
ticket_lifetime = 70 years

[domain_realm]
.my.domain = MY.REALM

[realms]
MY.REALM = {
    admin_server = controller.my.domain
    kdc = controller.my.domain:88
    kpasswd_server = controller.my.domain:464
    krb524_server = controller.my.domain
}

(this is an example file, in my real file "MY.REALM", "controller", and
"my.domain" entries are substituted with the real names).

When I tried to kinit Administrator at MY.REALM, I got the following:

Administrator at MY.REALM Password:
kinit: krb5_get_init_creds: Requested effective lifetime is negative or too
short
# klist -v
klist: No ticket file: /tmp/krb5cc_0

Then I tried to change "renew_lifetime" and "ticket_lifetime" entries in my
/etc/krb5.conf file to "700 years", and this is what I got:

# kinit Administrator at MY.REALM
Administrator at MY.REALM Password:
kinit: NOTICE: ticket renewable lifetime is SU (
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator at MY.REALM
    Cache version: 4
  KDC time offset: -4 seconds

Server: krbtgt/MY.REALM at MY.REALM
Ticket etype: arcfour-hmac-md5, kvno 2
Auth time:  Oct 30 11:01:20 2005
End time:   Jan  1 03:00:00 1970 (expired)
Renew till: Jan  1 03:00:00 1970
Ticket flags: forwardable, proxiable, renewable, initial, ok-as-delegate
Addresses:

Now, the questions are: 1) Why should I set so long time period for tickets and
for renewable tickets, and 2) Why is the ticket obtained from my domain
controller for my FreeBSD client is expired?

If You have any ideas, please write me. I tried to figure out why is this so,
but I didn't find any sources where this case was described and what should be
done to resolve this problem.

Thank You in advance, and looking forward hearing from You.

Vadym Yepishov,
FreeBSD fan:)

P.S. I use FreeBSD 5.4



----- End forwarded message -----





More information about the freebsd-questions mailing list