Date: Sun, 30 Oct 2005 11:12:42 +0200 From: vyepishov@eerc.kiev.ua To: freebsd-questions@freebsd.org Subject: Help: kinit failed Message-ID: <20051030111242.gzhgwqlq8044400s@mail.eerc.kiev.ua>
next in thread | raw e-mail | index | archive | help
Dear Sirs,
When I tried to add my FreeBSD machine as a domain member to ADS domain (with
Windows Server 2003 SP1 as a domain controller), the problem with Kerberos
authentication arised. I installed heimdal-0.6_3.2 package for Kerberos
authentication.
I used the following /etc/krb5.conf file:
[appdefaults]
encrypt = yes
forward = yes
forwardable = yes
no-addresses = yes
proxiable = yes
renew_lifetime = 70 years
ticket_lifetime = 70 years
[libdefaults]
default_realm = MY.REALM
dns_lookup_kdc = yes
dns_lookup_realm = yes
forwardable = yes
kdc_timesync = yes
proxiable = yes
renew_lifetime = 70 years
ticket_lifetime = 70 years
[domain_realm]
.my.domain = MY.REALM
[realms]
MY.REALM = {
admin_server = controller.my.domain
kdc = controller.my.domain:88
kpasswd_server = controller.my.domain:464
krb524_server = controller.my.domain
}
(this is an example file, in my real file "MY.REALM", "controller", and
"my.domain" entries are substituted with the real names).
When I tried to kinit Administrator@MY.REALM, I got the following:
Administrator@MY.REALM Password:
kinit: krb5_get_init_creds: Requested effective lifetime is negative or too
short
# klist -v
klist: No ticket file: /tmp/krb5cc_0
Then I tried to change "renew_lifetime" and "ticket_lifetime" entries in my
/etc/krb5.conf file to "700 years", and this is what I got:
# kinit Administrator@MY.REALM
Administrator@MY.REALM Password:
kinit: NOTICE: ticket renewable lifetime is SU (
# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator@MY.REALM
Cache version: 4
KDC time offset: -4 seconds
Server: krbtgt/MY.REALM@MY.REALM
Ticket etype: arcfour-hmac-md5, kvno 2
Auth time: Oct 30 11:01:20 2005
End time: Jan 1 03:00:00 1970 (expired)
Renew till: Jan 1 03:00:00 1970
Ticket flags: forwardable, proxiable, renewable, initial, ok-as-delegate
Addresses:
Now, the questions are: 1) Why should I set so long time period for tickets and
for renewable tickets, and 2) Why is the ticket obtained from my domain
controller for my FreeBSD client is expired?
If You have any ideas, please write me. I tried to figure out why is this so,
but I didn't find any sources where this case was described and what should be
done to resolve this problem.
Thank You in advance, and looking forward hearing from You.
Vadym Yepishov,
FreeBSD fan:)
P.S. I use FreeBSD 5.4
----- End forwarded message -----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051030111242.gzhgwqlq8044400s>