Hi, I'm in the process of setting up a small network using SuSE 8.2 pro - as this network needs the ability to scale rapidly in the future, and to be as unobstructive as possible to end users, I decided to build it round a Kerberos/LDAP authentication system. Following the instructions in the SuSE 8.2 Admin Guide, I've created a Kerberos realm named the same as my internal DNS domain, but upper case, and can obtain tickets from this using kinit on the local machine. However, I can't obtain a ticket from a remote machine, instead getting the following error: Exception: krb_error 38 Incorrect net address (38) Incorrect net address KrbException: Incorrect net address (38) at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62) at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308) at sun.security.krb5.KrbAsReq.getReply(DashoA6275:271) at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:264) at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:104) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.af.a(DashoA6275:129) at sun.security.krb5.internal.au.a(DashoA6275:58) at sun.security.krb5.internal.au.<init>(DashoA6275:53) at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48) ... 4 more As far as I can see, everything is set up correctly in the local /etc/krb.conf. The default_realm is correct, there is a realms entry for it giving the FQDN of the Kerberos server for kdc, kpasswd_server and admin_server. I did attempt to set up Kerberos via DNS but got a message saying it couldn't identify the kdc, so it's presumably getting further than that now - I'll have another go at the DNS route once I know the basics are working. I've searched the web trying to find out what the above error actually means, and drawn a blank - can anyone enlighten me? If it's any help I can post details from the actual configuration files - this is tucked away on a private network, so there's no real risk, and I can change everything afterwards once I know how to do it. TIA, -- Geoff Beaumont Geoff@stormhammer.com
On Monday 21 April 2003 18:55, Geoff Beaumont wrote: 8<
Following the instructions in the SuSE 8.2 Admin Guide, I've created a Kerberos realm named the same as my internal DNS domain, but upper case, and can obtain tickets from this using kinit on the local machine. However, I can't obtain a ticket from a remote machine, instead getting the following error: 8<
If there isn't anyone on this list with experience of using Kerberos on SuSE, can anyone suggest a good place to ask for help with this? I'd like to make sure I haven't made any configuration errors before I raise a support issue with SuSE. Cheers, -- Geoff Beaumont Geoff@stormhammer.com
On Wednesday 23 April 2003 17:49, Geoff Beaumont wrote:
On Monday 21 April 2003 18:55, Geoff Beaumont wrote: 8<
Following the instructions in the SuSE 8.2 Admin Guide, I've created a Kerberos realm named the same as my internal DNS domain, but upper case, and can obtain tickets from this using kinit on the local machine. However, I can't obtain a ticket from a remote machine, instead getting the following error:
8<
If there isn't anyone on this list with experience of using Kerberos on SuSE, can anyone suggest a good place to ask for help with this? I'd like to make sure I haven't made any configuration errors before I raise a support issue with SuSE.
It turned out the problem I was having with Kerberos authentication was caused by the fact that the client machine was using kinit from the Java Runtime Environment - even setting up a Kerberos Client with YaST2 doesn't install the Heimdal client (you have to manually install the heimdal package). The Java one doesn't work (I haven't investigated why, could just be that it uses different configuration files to that described in the manual and used by YaST). Even with heimdal installed, the Java version is still found first on the path, which seems to me a pretty serious bug, given it doesn't work. -- Geoff Beaumont Geoff@stormhammer.com
participants (1)
-
Geoff Beaumont