Help: kinit failed
vyepishov at eerc.kiev.ua
vyepishov at eerc.kiev.ua
Sun Oct 30 01:16:42 PST 2005
Dear Sirs,
When I tried to add my FreeBSD machine as a domain member to ADS domain (with
Windows Server 2003 SP1 as a domain controller), the problem with Kerberos
authentication arised. I installed heimdal-0.6_3.2 package for Kerberos
authentication.
I used the following /etc/krb5.conf file:
[appdefaults]
encrypt = yes
forward = yes
forwardable = yes
no-addresses = yes
proxiable = yes
renew_lifetime = 70 years
ticket_lifetime = 70 years
[libdefaults]
default_realm = MY.REALM
dns_lookup_kdc = yes
dns_lookup_realm = yes
forwardable = yes
kdc_timesync = yes
proxiable = yes
renew_lifetime = 70 years
ticket_lifetime = 70 years
[domain_realm]
.my.domain = MY.REALM
[realms]
MY.REALM = {
admin_server = controller.my.domain
kdc = controller.my.domain:88
kpasswd_server = controller.my.domain:464
krb524_server = controller.my.domain
}
(this is an example file, in my real file "MY.REALM", "controller", and
"my.domain" entries are substituted with the real names).
When I tried to kinit Administrator at MY.REALM, I got the following:
Administrator at MY.REALM Password:
kinit: krb5_get_init_creds: Requested effective lifetime is negative or too
short
# klist -v
klist: No ticket file: /tmp/krb5cc_0
Then I tried to change "renew_lifetime" and "ticket_lifetime" entries in my
/etc/krb5.conf file to "700 years", and this is what I got:
# kinit Administrator at MY.REALM
Administrator at MY.REALM Password:
kinit: NOTICE: ticket renewable lifetime is SU (
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator at MY.REALM
Cache version: 4
KDC time offset: -4 seconds
Server: krbtgt/MY.REALM at MY.REALM
Ticket etype: arcfour-hmac-md5, kvno 2
Auth time: Oct 30 11:01:20 2005
End time: Jan 1 03:00:00 1970 (expired)
Renew till: Jan 1 03:00:00 1970
Ticket flags: forwardable, proxiable, renewable, initial, ok-as-delegate
Addresses:
Now, the questions are: 1) Why should I set so long time period for tickets and
for renewable tickets, and 2) Why is the ticket obtained from my domain
controller for my FreeBSD client is expired?
If You have any ideas, please write me. I tried to figure out why is this so,
but I didn't find any sources where this case was described and what should be
done to resolve this problem.
Thank You in advance, and looking forward hearing from You.
Vadym Yepishov,
FreeBSD fan:)
P.S. I use FreeBSD 5.4
----- End forwarded message -----
More information about the freebsd-questions
mailing list