From owner-freebsd-questions@FreeBSD.ORG Sun Oct 30 09:16:42 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C99316A41F for ; Sun, 30 Oct 2005 09:16:42 +0000 (GMT) (envelope-from vyepishov@eerc.kiev.ua) Received: from kitty.eerc.kiev.ua (kitty.eerc.kiev.ua [195.230.130.137]) by mx1.FreeBSD.org (Postfix) with SMTP id 53A8C43D45 for ; Sun, 30 Oct 2005 09:16:41 +0000 (GMT) (envelope-from vyepishov@eerc.kiev.ua) Received: (qmail 67542 invoked by uid 1001); 30 Oct 2005 09:12:42 -0000 Received: from 82.207.96.24 ([82.207.96.24]) by mail.eerc.kiev.ua (Horde MIME library) with HTTP; Sun, 30 Oct 2005 11:12:42 +0200 Message-ID: <20051030111242.gzhgwqlq8044400s@mail.eerc.kiev.ua> Date: Sun, 30 Oct 2005 11:12:42 +0200 From: vyepishov@eerc.kiev.ua To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) X-Originating-IP: 82.207.96.24 X-Mailman-Approved-At: Sun, 30 Oct 2005 13:23:53 +0000 Subject: Help: kinit failed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Oct 2005 09:16:42 -0000 Dear Sirs, When I tried to add my FreeBSD machine as a domain member to ADS domain (with Windows Server 2003 SP1 as a domain controller), the problem with Kerberos authentication arised. I installed heimdal-0.6_3.2 package for Kerberos authentication. I used the following /etc/krb5.conf file: [appdefaults] encrypt = yes forward = yes forwardable = yes no-addresses = yes proxiable = yes renew_lifetime = 70 years ticket_lifetime = 70 years [libdefaults] default_realm = MY.REALM dns_lookup_kdc = yes dns_lookup_realm = yes forwardable = yes kdc_timesync = yes proxiable = yes renew_lifetime = 70 years ticket_lifetime = 70 years [domain_realm] .my.domain = MY.REALM [realms] MY.REALM = { admin_server = controller.my.domain kdc = controller.my.domain:88 kpasswd_server = controller.my.domain:464 krb524_server = controller.my.domain } (this is an example file, in my real file "MY.REALM", "controller", and "my.domain" entries are substituted with the real names). When I tried to kinit Administrator@MY.REALM, I got the following: Administrator@MY.REALM Password: kinit: krb5_get_init_creds: Requested effective lifetime is negative or too short # klist -v klist: No ticket file: /tmp/krb5cc_0 Then I tried to change "renew_lifetime" and "ticket_lifetime" entries in my /etc/krb5.conf file to "700 years", and this is what I got: # kinit Administrator@MY.REALM Administrator@MY.REALM Password: kinit: NOTICE: ticket renewable lifetime is SU ( # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: Administrator@MY.REALM Cache version: 4 KDC time offset: -4 seconds Server: krbtgt/MY.REALM@MY.REALM Ticket etype: arcfour-hmac-md5, kvno 2 Auth time: Oct 30 11:01:20 2005 End time: Jan 1 03:00:00 1970 (expired) Renew till: Jan 1 03:00:00 1970 Ticket flags: forwardable, proxiable, renewable, initial, ok-as-delegate Addresses: Now, the questions are: 1) Why should I set so long time period for tickets and for renewable tickets, and 2) Why is the ticket obtained from my domain controller for my FreeBSD client is expired? If You have any ideas, please write me. I tried to figure out why is this so, but I didn't find any sources where this case was described and what should be done to resolve this problem. Thank You in advance, and looking forward hearing from You. Vadym Yepishov, FreeBSD fan:) P.S. I use FreeBSD 5.4 ----- End forwarded message -----