On 4/4/2012 4:36 PM, Simon Dwyer wrote: > Hi All, > > I have been banging my head against this for a few weeks now. > > I am trying to use squid with kerberos and so i need to get my machine > into the Active Directory domain. > > My config follows: http://pastebin.com/PNTwGKLf > > The output for when i run msktutil: http://pastebin.com/aQQavMJd
It looks like it can not change the password in AD. Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm) Did dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL get added to AD? if not, does [email protected] have admin writes in AD to create computer accounts? Try adding in krb5.conf [libdefaults] udp_preference_limit = 1 This will force TCP. AD tickets are always large. Change in krb5,.conf: admin_server = dc-hbt-01.example.internal to admin_server = dc-hbt-01.example.internal:749 (Make sure it can find the password change service.) Other thing: Are both dc-hbt-01.example.internal and dc-hbt-02.example.internal running? If none of the above help, Wireshark trace (i.e. tcpdump) might help. This is most likely not your problem, but do you need DES? I see the krb5.conf has allow_weak_crypto = true. ldap_set_supportedEncryptionTypes: DEE dn=cn=ns1,CN=COMPUTERS,dc=EXAMPLE,dc=INTERNAL old=7 new=28 will set msDS_supportedEncryptionTypes to use RC4 and AES-128 and AES-256 The msktutil --enctypes option can over ride this. http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx > > This is a fresh install of centos 6.2 with a self compiled version of > krb 1.10.1 . > > I can change passwords with the kpassword command. > > I can upload the tcpdump to cloudshark if this would help. > > Cheers, > > Simon Dwyer > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
