You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Work in progress

This site is in the process of being reviewed and updated.

Kerberos configuration

This document uses EXAMPLE.COM wherever you should type your Active Directory domain name (do make sure to make it uppercase when the article uses the upper case, and vice versa), controller whenever the PDC hostname is needed and 10.0.0.1 whenever the Active Directory PDC IP address is needed.

The kerberos libraries will use DNS to autodetect the key distribution center.

Adding a nameserver entry on top of the file /etc/resolv.conf should be enough configuration for the Kerberos libraries. The nameserver IP address should be the IP address of the Windows 2003 Active Directory PDC, mine is 10.0.0.1:

nameserver 10.0.0.1

You can test your kerberos setup by asking a kerberos ticket for the Active Directory Domain administrator:

kinit Administrator@EXAMPLE.COM
Common errors

kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM

The kerberos libraries were unable to find the KDC for the EXAMPLE.COM realm. Check your /etc/resolv.conf settings. Make sure your Active Directory PDC is above all other entries. In case you don't want to mess with your nameserver settings, create a /etc/krb5.conf file with these contents:

      [libdefaults]
      	default_realm = EXAMPLE.COM

      [realms]
      	EXAMPLE.COM = {
      		kdc = kdc.example.com
      	}

      [domain_realms]
      	.kdc.example.com = EXAMPLE.COM

kinit: krb5_get_init_creds: Client (Administrator@EXAMPLE.COM) unknown

This error message means there is no user Administrator in your Windows 2003 Active Directory. This could be caused by the common practice of renaming the Administrator user for security reasons. Obviously, the thing to do is to replace Administrator with some other existing user with the right of joining machines to the Active Directory.

  • No labels