On 4/5/2012 10:35 AM, Ken Dreyer wrote: > On Thu, Apr 5, 2012 at 8:20 AM, Douglas E. Engert<[email protected]> wrote: >> >> On 4/4/2012 4:36 PM, Simon Dwyer wrote: >>> Hi All, >>> >>> I have been banging my head against this for a few weeks now. >>> >>> I am trying to use squid with kerberos and so i need to get my machine >>> into the Active Directory domain. >>> >>> My config follows: http://pastebin.com/PNTwGKLf >>> >>> The output for when i run msktutil: http://pastebin.com/aQQavMJd >> >> It looks like it can not change the password in AD. >> Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for >> requested realm) > > The error text is sort of misleading. There was a bug in MIT Kerberos > 1.9 that causes this function to fail in certain AD scenarios. The > client sends a TGS-REQ is for "kadmin/changepw", but AD responds with > a TGT. It's fixed by > https://github.com/krb5/krb5-anonsvn/commit/1c885dbaab63c29ffcf4d455a75f3ba26ca1fd1a, > but this patch is not in RHEL 6.2's kerberos libraries. > > If you have a support contract with Red Hat and you are experiencing > this issue in your environment, I encourage you to file a support > request with them to get this patch into RHEL 6's krb5 package.
Ken, I was responding to the original message, as one of the early developers of msktutil, I did not see that you had found the bug yesterday. But good to know there is a fix. > > - Ken > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
