On Thu, Apr 5, 2012 at 8:20 AM, Douglas E. Engert <[email protected]> wrote: > > On 4/4/2012 4:36 PM, Simon Dwyer wrote: >> Hi All, >> >> I have been banging my head against this for a few weeks now. >> >> I am trying to use squid with kerberos and so i need to get my machine >> into the Active Directory domain. >> >> My config follows: http://pastebin.com/PNTwGKLf >> >> The output for when i run msktutil: http://pastebin.com/aQQavMJd > > It looks like it can not change the password in AD. > Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for > requested realm)
The error text is sort of misleading. There was a bug in MIT Kerberos 1.9 that causes this function to fail in certain AD scenarios. The client sends a TGS-REQ is for "kadmin/changepw", but AD responds with a TGT. It's fixed by https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a, but this patch is not in RHEL 6.2's kerberos libraries. If you have a support contract with Red Hat and you are experiencing this issue in your environment, I encourage you to file a support request with them to get this patch into RHEL 6's krb5 package. - Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
